Alternating two-way AC-tree automata

Alternating Two-Way AC-Tree Automata ⋆

Kumar Neeraj Verma1,∗

Technische Universität München, Institut für Informatik /I2Boltzmannstraße 3, 85748 Garching, Germany

Jean Goubault-Larrecq

LSV/CNRS UMR 8643 & INRIA Futurs projet SECSI & ENS Cachan61, av. du président-Wilson, 94235 Cachan Cedex, France

Abstract

We explore the notion of alternating two-way tree automata modulo the theory of finitelymany associative-commutative (AC) symbols. This was prompted by questions arising incryptographic protocol verification, in particular in modeling group key agreement schemesbased on Diffie-Hellman-like functions, where the emptiness question for intersections ofsuch automata is fundamental. This also has independent interest. We show that the use ofgeneral push clauses, or of alternation, leads to undecidability, already in the case of oneAC symbol, with only functions of arity zero. On the other hand, emptiness is decidable inthe general case of several function symbols, including several AC symbols, provided pushclauses are unconditional and intersection clauses are final. This class of automata is alsoshown to be closed under intersection.

Key words: associative-commutative, tree automata, two-way tree automata, alternatingtree automata, branching vector addition systems with states, resolution, cryptographicprotocols

⋆ Partially supported by the ACI VERNAM, the RNTL project EVA,the RNTLproject Prouvé, and the ACI jeunes chercheurs “Sécurité informatique, protocoles cryp-tographiques et détection d’intrusions”.∗ Corresponding author. Tel: +49 89 28 91 81 88, Fax: +49 89 28 9181 61.

Email addresses:[email protected] (Kumar Neeraj Verma),[email protected] (Jean Goubault-Larrecq).

URLs:http://www2.in.tum.de/~verma/ (Kumar Neeraj Verma),http://www.lsv.ens-cachan.fr/~goubault/ (Jean Goubault-Larrecq).1 Work done while a PhD student at LSV, CNRS UMR 8643 & INRIA Futurs projet SECSI& ENS Cachan on an MENRT grant.

Preprint submitted to Elsevier Science 24 November 2006

1 Introduction

Automata and in particular tree automata (Gécseg and Steinby, 1997; Comon et al.,1997) are an important tool in computer science, in particular in hardware or soft-ware verification (Jouannaud, 1995). We may enrich standardtree automata withvarious features. One that has been considered very early isthat oftwo-waytree au-tomata, where transitions may not just build terms, but alsodestruct terms. Anotherone isalternatingtree automata, where we may recognize not just unions but alsointersections of sets of terms recognized at some states (Slutzki, 1985). A morerecent one isequationaltree automata, which do not recognize terms but termsmodulo some fixed equational theory, see e.g., Lugiez (1998); Ohsaki (2001). Thecase of finitely many associative commutative (AC) symbols is of particular impor-tance. The goal of this paper is to explore the combination ofthese features, thatis, of equational, two-way, alternating automata, concentrating on the equationaltheory of finitely many AC symbols.

Combining two-way, possibly alternating automata with theuse of equational the-ories is not a randomly chosen research theme. We have come toneed such au-tomata in studying automata-based cryptographic protocolverification techniques,see Monniaux (1999); Genet and Klay (2000); Goubault-Larrecq (2000); Comonet al. (2001), and extending them to sets of cryptographic primitives that obeyspecific algebraic laws. This is particularly useful to model protocols based onthe Diffie-Hellman primitive, namely modular exponentiation (Diffie and Hellman,1976): see Goubault-Larrecq et al. (2004) for an application of two-way AC-treeautomata to the automated verification of the IKA.1 group keyagreement protocol.

There are a number of questions one might ask about any familyof automata, inparticular the ones we are considering in this paper. The first and probably the mostimportant is decidability of emptiness.

Then, we may inquire about closure under Boolean operations: union, intersection,complementation. As we shall see, alternating AC-automatahave an undecidableemptiness problem. Removing alternation but keeping two-way transitions yieldsa class whose emptiness problem is decidable, as we shall show. Closure underunions is trivial.

Our import in this paper is a classification of alternating, two-way AC-tree au-tomata relative to the question ofintersection-emptiness: given finitely many al-ternating two-way AC-automata, is the intersection of their languages empty? andthe related question of effectively computing intersections of two-way AC-tree au-tomata. We shall show that the subclass of so-calledAC-standardtwo-way AC-treeautomata (Definition 9) can be effectively reduced to one-way AC-tree automata(Theorem 44), which are closed under intersection (Theorem38) and whose empti-ness is decidable (Lemma 17). This implies that intersection-emptiness is decidable

2

for AC-standard two-way AC-tree automata.

While this class is enough for dealing with the verification problem we initially hadin mind (see Goubault-Larrecq et al. (2004) for the application to the IKA.1 cryp-tographic protocol), we shall leave the case of intersection-emptiness of two-wayAC-tree automata, not just the AC-standard ones, open. We conjecture that the lat-ter is still decidable, and show a first result in this direction: intersection-emptinessof two-way AC-tree automata reduces effectively to intersection-emptiness of two-way AC0-tree automata, i.e., to theconstant-onlysubcase where the only functionsymbols are+ (associative and commutative) and finitely many constants (Propo-sition 63). As the reader will be quickly convinced, this is already rather technical,and requires tools from several domains, in particular fromautomata theory, auto-mated deduction, and Petri nets.

Outline. The paper is organized as follows. We give an account of related work inSection 2. Section 3 gives all necessary preliminaries, on Horn clauses, languagesand recognizability, resolution and its refinements, semilinear sets and branchingvector addition systems with states (BVASS).

Once preliminaries have been taken care of, we can define formally what we meanby E-tree automata, whether one-way or two-way, alternating ornot, in Section 4.Our interest in such automata stems most particularly from the case whereE isthe equational theory AC of finitely many associative commutative symbols+i,1 ≤ i ≤ p. As we have already said, this is justified by the applicationto groupkey agreement protocols; we refer to (Goubault-Larrecq et al., 2004) for details.We believe that the theory AC is so pervasive that one/two-way, alternating or not,AC-tree automata will find their way in other applications. Alikely application isto XML Schemas, where the theory AC would be used to account for the fact thatXML documents are trees whose nodes have a multiset, not a sequence, of sons.

We proceed to show some limitations of AC-tree automata in Section 5. We showmainly that alternation leads to undecidability, already in the constant-only case,where the only function symbols are constants, plus one AC symbol+.

Because the constant-only case is, in fact, central to the general case, as will be-come progressively more apparent in later sections, we showin Section 6 thatAC-satisfiability is decidable for non-alternating two-way AC0-tree automata, i.e.,those non-alternating two-way AC-tree automata that arisein the constant-onlycase. These results rely on the fact that an AC symbol together with constants al-lows us to encode counters, so that our automata in the constant-only case corre-spond to various notions of automata working on counters. These include Parikhimages of context free grammars, which recognize semilinear sets or Presburger-definable sets (Parikh, 1966; Ginsburg and Spanier, 1966), as well as Petri nets andVASS (Reutenauer, 1993), and their extensions like Branching VASS (Verma and

3

Goubault-Larrecq, 2005).

We gradually reduce the AC-satisfiability problem for larger and larger classes oftwo-way AC-tree automata in Section 7, culminating with so-calledAC-standardtwo-way AC-tree automata, where so-called+-push clauses are restricted to beingunconditional (see later for definitions). We show that these classes describe thesame languages as ordinary, one-way AC-tree automata, and are therefore closedunder union and intersection.

In passing, we show in Section 7.1 that we can always assume without loss ofgenerality that there is exactly one AC function symbol+, instead of several.

We prove again that intersection-emptiness is decidable for AC-standard two-wayAC-tree automata, using rather different techniques basedon resolution techniques,and specifically on the use ofgrey oracles, due to Goubault-Larrecq et al. (2004).This is more technical than previous sections, unfortunately, but has one advantageat least. Since this new technique is not limited toAC-standardtwo-way AC-treeautomata, we are able to show that intersection-emptiness for two-way AC-tree au-tomata (not just AC-standard ones) is decidable as soon as itis in the constant-onlycase. The latter problem is left open. As we shall argue lateron, this last remainingopen case is likely to be hard, as it includes vast generalizations of problems asdifficult as Petri net reachability, to which they do not seemto reduce easily.

We conclude in Section 9.

For quick reference in the AC case, Figure 1 displays a map of the different kindsof AC-tree automata we consider in this paper.

Acknowledgments Thanks to H. Comon and L. Fribourg for many stimulatingdiscussions, to A. Finkel and S. Lasota for helpful comments, to A. Podelski forsuggesting that clausal formats may provide a better tool for studying general-ized automata. A great many thanks are due to an anonymous STACS’02 referee,who found mistakes in our decidability arguments for intersection-emptiness in theconstant-only case, which prompted our branching extension of VASS, BVASS,and the associated notion of Karp-Miller trees (Verma and Goubault-Larrecq, 2005).Finally we thank the two anonymous referees for their technical remarks, pointersto related work, and suggestions for improving the presentation of this, admittedlytechnical, paper.

4

One-way ACDefinition 4

⊂

pppppp

wwpppppp ⊂SSSSSS

))SSSSSS

Alternating ACDefinition 5

⊂

��

Standard two-way ACDefinition 7

⊂

��

AC-standard two-way ACDefinition 9

⊂��

Petri two-way ACFootnote to Corollary 27

⊂

��

Two-way ACDefinition 6

⊂

��

⊂

mmmmmmmmm

vvmmmmmmm

Alternatingtwo-way ACDefinition 6

⊂6

66

66

66

66

66

��6

66

66

66

66

66

66

Generaltwo-way AC

Proposition 15⊂

��

Alternation-Free(4), (5), (6)Definitions 47, 52

⊂

sssssssssss

yysssssssssss

(4), (5), (6)Definition 47

Fig. 1. AC-tree automata considered in this paper

2 Related Work

There is a large literature on finite tree automata, see Comonet al. (1997); Gécsegand Steinby (1997). Applications abound in rewriting and automated theorem prov-ing notably: approximations of reachability sets for rewrite systems (Genet, 1998),disunification and inductive reducibility (Lugiez and Moysset, 1994), unificationunder constraints (Kaji et al., 1997), ground reducibility(Comon and Jacquemard,1997), automated inductive theorem proving (Bouhoula and Jouannaud, 1997), fasttree matching (Li, 1988), automated model building in first-order logic (Peltier,1997), etc. These applications deal with automata onfinite trees, and this is whatwe are interested in here. We won’t deal with automata on infinite trees (Thomas,1990), which are also fundamental, e.g. in temporal and program logics (Emerson

5

and Jutla, 1988).

Two-wayautomata, a.k.a.pushdown processes, where transitions may not only con-struct but also destruct terms, are also classical. The relation with certain Horn setscalleduniform programswas pioneered in Frühwirth et al. (1991), and refined ine.g., Charatonik and Podelski (1998).Cartesian approximationis the key to defineupper approximations of various sets of ground atoms, e.g.,success sets. (Whilethere is no difficulty to do the same in the AC case, getting two-way, alternatingAC-tree automata, it is more difficult to get rid of alternation. This is important, aswe shall see in Section 5, since alternation causes undecidability in the AC case.)

It is important to distinguish pushdown processes from pushdownautomata(Schimpfand Gallier, 1985), which recognize the strictly larger class of context-free tree lan-guages. This is why we prefer the phrasetwo-wayautomata. Conversely, standardautomata, where transitions only construct terms, will be calledone-wayautomata.

The idea of generalizing tree automata to recognize languages of termsmoduloan equational theoryE is then natural, and a canonical choice of theory is that ofone associative-commutative (AC) symbol+. The AC case has been explored anumber of times, e.g., by Courcelle (1989); Niehren and Podelski (1993); Lugiez(1998). The general case of so-calledequational automatahas been studied byOhsaki (2001); Ohsaki and Takai (2002). We shall also deal with this general case,although we emphasize the AC case.

While not all notions of AC-tree automata coincide, there isalways a common core.For example, the automata of Lugiez (1998) have additional sort restrictions, butare also extended with a rich constraints language. Recent work by Lugiez (2003)dispenses with the sort restrictions and extends this latter work by considering AC-tree automata with Presburger-definable constraints, catering for an extremely richframework that includes most proposals of AC-tree automatawith decidable empti-ness problems until now. Lugiez also shows closure of his class under all Booleanoperations. Nonetheless, there is no known reduction oftwo-wayAC-tree automata,as studied here, to Lugiez’s, and there cannot be any reduction of alternatingAC-tree automata to Lugiez’s, as the former recognize all recursively enumerable sets(Proposition 11) whereas emptiness is decidable for the latter. XML document pro-cessing is the main motivation for the automata proposed by Lugiez. Related no-tions of automata and logics for XML document processing have been proposedby several authors, e.g. Seidl et al. (2003) and Boneva and Talbot (2005). All thepapers cited above deal with one-way AC-tree automata.

Ohsaki (2001) investigates a larger framework of so-calledequational tree au-tomata, modulo some equational theoryE . It is difficult to compare these withourE-tree automata. For one, again Ohsaki’s automata are not two-way automata;we return to this point below.

Leaving subtleties about two-wayness aside, one might think that regular equa-

6

tional tree automata, a restriction of equational tree automata, also due to Ohsaki,should be the same as our one-wayE-tree automata (Section 4.1). Despite thesimilarities, these are in general different notions. For example, consider the the-ory E defined byf(x, x) = 0 for everyx, and the automaton with two statesq0

and q1, q1 being final, and the only transitionf(q0, q0) → q1. (In our notation,q1(f(X, Y )) ⇐ q0(X), q0(Y ), see later.) In particular, no term is recognized atq0.With our definition, where every term recognized atq1 must be equal moduloE tosome term of the formf(u, v) whereu andv are recognized atq0, no term is rec-ognized atq1. With Ohsaki’s definition,f(q0, q0) is equated with0 by the theory,soq1 recognizes the term0. That is, for Ohsaki, the equational theoryE applies notonly to ordinary terms, but also to the fake terms such asf(q0, q0) that are used asauxiliaries in defining recognizability. Still, ourone-wayE-tree automata coincidewith Ohsaki’sregular automata whenE is a linear theory, in particular in the ACcase.

The general form of automata considered by Ohsaki not only has transitions of theform f(q1, . . . , qn) → q, but also of the formf(q1, . . . , qn) → f(q′1, . . . , q

′n), where

q1, . . . , qn, q′1, . . . , q

′n, q are states. We do not. (Ohsaki’s purpose seems to be able

to representE-closures of regular tree languages.) In fact, the second kind of tran-sition f(q1, . . . , qn) → f(q′1, . . . , q

′n) does not have any equivalent in our formula-

tion. Conversely, our push clauses (see Section 4.2) do not seem to be describablein a rewrite rule based notation. The latter entails that we cannot simply reduceour emptiness and intersection-emptiness questions of two-way AC-tree automatato reachability in ground AC-rewrite systems (Mayr and Rusinowitch, 1998), asOhsaki and Takai (2002) do. To be precise, to show decidability in the AC case,we in fact show how to eliminate the push clauses under various restrictions. Thismeans that these decidable classes of automata correspond to Ohsaki’s regular AC-tree automata. However this correspondence is not direct, and holds for specifictheories like AC but not for more general theories that we areinterested in (Verma,2003c).

The works by Ohsaki and Lugiez cited above encode AC-tree automata by groundrewrite rules, while we prefer to encode them by sets of Horn clauses. Withoutany equational theory, the two formulations are well-knownto be equivalent. Aswe discussed above, they diverge in the presence of equational theories. The Hornclause formulation has the advantage that it allows one to write the semantics of theproblem at hand, such as modeling cryptographic protocols,directly in logic. Also,alternation and two-wayness are more natural concepts in Horn clause notation.

Our notion of alternation in equational tree automata is close to the conjunctionoperator inconjunctive grammars(Okhotin, 2001). In our terminology, conjunctivegrammars are one-way alternating tree automata over a signature consisting of anassociative symbol (possibly with a unit) and constants (and no other symbols oflarger arity). While we shall mention briefly associative symbols (Proposition 16),our main interest in this paper is the theory of associative-commutative symbols.

7

However they turn out to have some similar properties. Similarly to the case foralternating AC-tree automata, emptiness for conjunctive grammars is undecidableand membership is decidable.

We shall use techniques related to Petri nets. In particular, we shall use some ofVerma and Goubault-Larrecq (2005)’s results on the fact that coverability treesà la Karp-Miller for abranchingextension of vector addition systems with states(VASS), which were called BVASS there, are finite. BVASS wereindependently in-troduced by de Groote et al. (2004), under the name of vector addition tree automata(VATA) to attack the problem whether provability in multiplicative-exponential lin-ear logic was decidable.

3 Preliminaries

Fix a signatureΣ of function symbols, each coming with a fixed arity, and letEbe an equational theory, inducing a congruence≈E on all terms built onΣ. In thispaper,E will usually be the theory AC of one or several symbols being associativeand commutative. We assume thatΣ contains at least one constant.

An atomic formula(or atom) is a pairP (s) of a predicate symbolP , taken fromsome fixed setP, and of a terms on Σ. (Wlog, we restrict to unary predicatesymbols.) Aliteral is either apositiveliteral +P (t), or anegativeliteral −P (t).A clauseis a disjunction of literals±1P1(t1) ∨ ±2P2(t2) ∨ . . . ∨ ±kPk(tk). AHorn clause is one containing at most one positive literal: we also writeP (t) ⇐P1(t1), . . . , Pn(tn) for thedefinite clause+P (t)∨−P1(t1), . . . ,−Pn(tn), and⊥ ⇐P1(t1), . . . , Pn(tn) for thegoal clause−P1(t1), . . . ,−Pn(tn).

The semantics of clauses is given as usual (Chang and Lee, 1973). A structureIis a tuple consisting of a non-empty setD (thedomain), together with subsetsIP

of D, one for each predicateP , and functionsIf : Dn → D for each functionf ∈ Σ, of arity n. Given anyenvironmentρ mapping variables to elements ofD,the value I JtK ρ of a termt is defined byI JxK ρ = ρ(x) for every variablex,I Jf(t1, . . . , tn)K ρ = If (I Jt1K ρ, . . . , I JtnK ρ). Then we letI, ρ |= P (t), and saythatP (t) holdsin I, ρ, if and onlyI JtK ρ ∈ IP . A clauseC holds underI, ρ (andwe write I, ρ |= C) if and only if I, ρ |= P (t) for some literal+P (t) in C, orI, ρ 6|= P (t) for some literal−P (t) in C.

In the special case of Horn clauses, this can be recast as follows. By convention, letI, ρ 6|= ⊥. We letI, ρ |= C, whereC is a Horn clauseA ⇐ A1, . . . , An, if and onlyif I, ρ 6|= Ai for somei, 1 ≤ i ≤ n, or I, ρ |= A.

The structureI is amodelof the clauseC if and only if I, ρ |= C for every envi-ronmentρ; we then writeI |= C. I is a model of a setS of clauses if and only if

8

I |= C for every clauseC in S; we writeI |= S for this.

The structureI is anE-structureif and only if, whenevers andt are two terms thatare equal moduloE , thenI JsK ρ = I JtK ρ for every environmentE . An E-structurethat is a model ofC, resp.S, is called anE-modelof C, resp.S.

We then say that a clauseC, resp. a clause setS, isE-satisfiableif and only if it hasanE-model.

A term, an atom, a literal, a clause isground if and only if it contains no freevariable. Asubstitutionσ is any map from variables to terms. We write[x1 :=t1, . . . , xn := tn] the substitution mappingxi to ti, 1 ≤ i ≤ n, and any othervariable to itself. Thedomaindom σ of σ is {x|xσ 6= x}. We also writetσ theresult of applying the substitutionσ to the termt: xσ = σ(x), f(t1, . . . , tn)σ =f(t1σ, . . . , tnσ). An instanceof t is any term that is equal moduloE to tσ, for somesubstitutionσ.

TheHerbrand universeHE is the set of allE-equivalence classes of ground terms.A Herbrand structureis any structureI whose domain isHE , and such thatIf mapsanyn-tuple of ground termst1, . . . , tn moduloE , to the termf(t1, . . . , tn), againmoduloE , wheref has arityn. It is well-known that a clause set has anE-model ifand only if it has anE-Herbrand model, i.e., one which is a Herbrand structure.

Any Herbrand structureI can be alternatively characterized as a set of groundatoms that is stable underE : namely the ground atomsP (t) such thatI |= P (t)(the environment part is irrelevant here, hence omitted). In this setting, Herbrandstructures can be ordered by inclusion. Then, anyE-satisfiable Horn clause set has aleastHerbrand model. (This is the first place where dealing withHorn clauses mat-ters.) In particular, any set of definite clauses has a least Herbrand model; indeed,it has a Herbrand model, which contains every ground atom.

An alternative characterization of least Herbrand models,which should be familiarto Prolog semanticists, is as follows. Fix a Horn clause setS. LetF be the set of allground atoms, union⊥, and let⊥σ be defined as⊥, by convention. In other words,we consider⊥ as ground, and extend≈E so thatt ≈E ⊥ if and only if t = ⊥.Define the operatorTS from P(F) to P(F) by

TS(I)= {A′|A ⇐ A1, . . . , An ∈ S, A′ ≈E Aσ ground, A1σ ∈ I, . . . , Anσ ∈ I}

SinceTS is monotonic with respect to inclusion, it has a least fixpoint. In fact, thisleast fixpoint is

⋃n∈N T n

S (∅), and is just the least Herbrand model ofS in case itdoes not contain⊥. If it contains⊥, thenS is E-unsatisfiable.

9

3.1 Resolution, Splitting

We shall need to decide whether given finite sets of Horn clauses modulo AC orACU are AC-unsatisfiable or not. Computing

⋃n∈N T n

S (∅) directly is in general notan option, since it will usually be infinite. One well-known technique to decidesatisfiability isresolutionand its refinements, in particular ordered resolution withselection (Bachmair and Ganzinger, 2001).

Let ≻ be a strict stable ordering on atomic formulas. Bystablewe mean that ifP (s) ≻ Q(t), thenP (sσ) ≻ Q(tσ) for any substitutionσ. Let sel be a functionmapping each clause to a subset of its negative literals.

Ordered resolution with selection is the rule that allows one to derive the conclusion(below the bar) provided we have already derived the premises (above):

C1 ∨ +A11 ∨ . . . ∨ +A1m1

. . .

Cn ∨ +An1 ∨ . . . ∨ +Anmn

C ′ ∨−A′1 ∨ . . . ∨−A′

n

(C1 ∨ . . . ∨ Cn ∨ C ′)σ

where:

(i) n ≥ 1, m1 ≥ 1, . . . ,mn ≥ 1;(ii) σ = mgu(A11

.= . . .

.= A1m1

.= A′

1, . . . , An1.= . . .

.= Anmn

.= A′

n), i.e.,σ isthe most general unifier (mgu) of the equationsA11

.= . . .

.= A1m1

.= A′

1, . . . ,An1

.= . . .

.= Anmn

.= A′

n;(iii) for everyi, 1 ≤ i ≤ n, sel (Ci ∨ +Ai1 ∨ . . . ∨ +Aini

) = ∅ andAi1, . . . , Aini

are maximal atomic formulae inCi ∨ +Ai1 ∨ . . . ∨ +Ainiwith respect to≻;

(iv) sel (C ′∨−A′1 ∨ . . .∨−A′

n) = {−A′1, . . . ,−A′

n} 6= ∅, or sel (C ′∨−A′1 ∨ . . .∨

−A′n) = ∅ andA′

1, . . . ,A′n are maximal inC ′ ∨ −A′

1 ∨ . . . ∨ −A′n with respect

to≻.

For additional definitions, see Bachmair and Ganzinger (2001). It is implicit inthe rule above that all premises have been renamed so that no two premises shareany free variable. The right premise is called themain premise, all others aresidepremises. The conclusion is often called aresolventof the premises.

In the case of Horn clauses, this simplifies to the rule:

A1 ⇐ H1 . . . An ⇐ Hn A ⇐ H, A′1, . . . , A

′n

(A ⇐ H, H1, . . . , Hn)σ

10

whereH, H1, . . . , Hn are bodies, i.e., sets of atomic formulas, comma denotesunion of such sets, and the following conditions are met:

(i) n ≥ 1;(ii) σ = mgu(A1

.= A′

1, . . . , An.= A′

n);(iii) for everyi, 1 ≤ i ≤ n, sel (Ai ⇐ Hi) = ∅ andAi is maximal inAi ⇐ Hi

with respect to≻;(iv) letting C be A ⇐ H, A′

1, . . . , A′n, sel (C) = {−A′

1, . . . ,−A′n} 6= ∅, or

sel (C) = ∅ andA′1, . . . ,A′

n are maximal inC with respect to≻.

This rule issound, i.e., every conclusion is a consequence of the premises; inpar-ticular, if the empty clause⊥ is derivable from a given set of clausesS, thenS isunsatisfiable. It is alsocomplete: if S is unsatisfiable, then one can derive⊥ fromS in finitely many steps of ordered resolution with selection.

In passing, choosingsel so that it selects every negative literal (i.e.,sel (A ⇐A1, . . . , An) = {−A1, . . . ,−An}) yields the so-calledunit resolutionrule on Hornclauses:

P1(u1) . . . Pn(un) P (t) ⇐ P1(t1), . . . , Pn(tn)σ = mgu(u1

.= t1, . . . , un

.= tn)

P (tσ)

which is not only sound and complete (in the Horn case), but isalso such that⋃n∈N T n

S (∅) is exactly the set of ground instances of clauses that we can deducefrom the set of Horn clausesS by unit resolution. In short, unit resolution computesthe least Herbrand model (if any).

While unit resolution, in some sense, derives new facts in a forward manner,inputresolutionderives new goals, working its way backwards:

A1 ⇐ H1 . . . An ⇐ Hn ⊥ ⇐ A′1, . . . , A

′n

(⊥ ⇐ H1, . . . , Hn)σ

wheren ≥ 1, σ = mgu(A1.= A′

1, . . . , An.= A′

n).

Soundness and completeness hold for each variant of resolution, and in the caseof ordered resolution with selection, whateversel , and whatever the stable order-ing ≻ is. It is folklore that soundness and completeness still hold when terms aretaken modulo some equational theoryE , providedσ is taken to be any memberof a complete set of unifiers(csu)csu(A1

.= A′

1, . . . , An.= A′

n) in condition(ii) ,and≻ is compatible withE, meaning that ifs1, s2 are equal modE, if t1, t2 areequal modE, ands1 ≻ t1 then s2 ≻ t2. (Implicit here is the fact that we alsoreplace unsatisfiability byE-unsatisfiability.) This was already the case for otherrefinements of resolution (Plotkin, 1972). Csus always exist, but need not be finiteor even computable. One can compute a finite one for the theoryof associativity

11

and commutativity (AC), resp. with unit (ACU) (Stickel, 1981; Fages, 1984).

Independently of equational reasoning, soundness and completeness are preservedwhen tautologies and various forms of subsumed clauses are removed, at any mo-ment (preferably at the earliest) (Bachmair and Ganzinger,2001). This will be cru-cial in showing that resolution terminates on various classes of Horn clauses mod-ulo AC, therefore showing decidability of these classes. Equally crucial will be theso-calledsplitting rules. A clause of the formC ∨ C ′, whereC andC ′ are non-empty clauses that share no free variable, is calledsplittable. Given a set of clausesS ∪{C ∨C ′}, whereC ∨C ′ is splittable, the standard version of splitting (Weiden-bach, 2001) then considers showing that bothS∪{C} andS∪{C ′} are unsatisfiableto conclude thatS ∪ {C ∨ C ′} is. Instead, we shall use Riazanov and Voronkov’sspecial brand of splitting (Riazanov and Voronkov, 2001; Voronkov, 2001), as ex-plained in Goubault-Larrecq et al. (2004), and call itsplittingless splittingto distin-guish it from ordinary splitting. The idea is that whenC ∨C ′ is splittable, then it isequivalent to∃q · (q ⇒ C) ∧ (¬q ⇒ C ′), whereq is a fresh propositional symbol.

We make this formal as follows (Roger, 2003; Goubault-C ∨ C ′

C ∨ −pC ′q

+pC ′q ∨ C ′

Larrecq, 2003). We first define formally what it means tocreate fresh propositional symbols. Fix a setP of pred-icate symbols. AP-clauseis any clause whose predi-cate symbols are all fromP. These will be our ordinaryclauses. Let thenQ be some set of zero-ary predicatesymbols disjoint fromP, in one-to-one correspondencewith the set ofP-clauses modulo renaming: for eachP-clauseC, let pCq be asymbol inQ, so thatpCq = pC ′

q iff there is a renaming such thatC = C ′.These will be our fresh symbolsq; however notice that we allow ourselves to reuseto same symbolq = pC ′q when we meet the same clauseC ′ twice. The rule ofsplittingless splittingis shown on the right, whereC andC ′ are two non-emptysubclauses sharing no variable, whereC ′ is restricted to be aP-clause, andC isrequired to contain at least an atomP (t) with P ∈ P.

The effect of the rule is toreplaceC∨C ′ by the two clausesC∨−pC ′q and+pC ′q∨C ′ in conclusion. Intuitively,pC ′

q is a propositional symbol that abbreviates thenegation ofC ′, i.e., that is false exactly whenC ′ is valid.

Ordered resolution with selection, usingE-unification, is sound and complete, evenwhen splittingless splitting is applied eagerly (i.e., when both rules can be applied,apply splittingless splitting), provided≻ is a stable ordering such thatP (t) ≻ q foreveryP ∈ P, q ∈ Q. (We say that≻ is admissible.) See Goubault-Larrecq et al.(2004) for details.

In the sequel, we shall always use a special form of splittingless splitting, whichwe call ǫ-splitting: this is the special case whereC ′ is anegative block−P1(x) ∨. . . ∨ −Pn(x) (n ≥ 1; the variablex is the same in each literal), and whereC ∨ C ′

12

is Horn. Theǫ-splitting rule can be reexplained as the one that replaces any clauseA ⇐ H, P1(x), . . . , Pn(x), wherex is not free inA or H, by the two clausesA ⇐ H, q andq ⇐ P1(x), . . . , Pn(x), whereq = p−P1(x) ∨ . . . ∨ −Pn(x)q; ineffect, this definesq as being true if and only if there is a term satisfying all ofP1,. . . ,Pn in the least Herbrand model (if any exists).

Finally, it is important to note that there is a more synthetic way of writing the unitresolution rule, which is equivalent from the standpoint ofderivability of the emptyclause⊥:

P1(u1) . . . Pn(un)P (t) ⇐ P1(t1), . . . , Pn(tn)

P (tσ)(1)

whereσ ∈ csuE(u1.= t1, . . . , un

.= tn). (ModuloE , recall that we need to replace

mgus by csus.) This notation may appeal more to the reader. See e.g., Chang andLee (1973) where semantic resolution and therefore also hyperresolution and unitresolution are presented in this way.

3.2 Languages, Recognizability

Our impetus in using sets of Horn clauses is to define various forms of automata.For all these notions, the notions ofrecognizability, and oflanguagerecognized atsome state will be the same. Therefore we choose to introducethese notions here.

Given anE-satisfiable set of Horn clausesS, and a predicate symbolP , the lan-guageLP (S) of S atstateP is the set of allE-equivalence classes of ground termst such thatP (t) is in the least Herbrand model ofS. The elements ofLP (S) arecalled the (E-equivalence classes of) termsrecognizedatP in S.

By abuse of language, we say thatP is emptyin S if and only if LP (S) is empty,and similarly for other properties. We have the following easy lemmas. The firstone characterizes recognizability semantically.

Lemma 1 Given anE-satisfiable setS of Horn clauses, the ground termt is rec-ognized atP in S if and only ifS plus the clause⊥ ⇐ P (t) is E-unsatisfiable.

PROOF. If t ∈ LP (S), then by definitionP (t) is in the least Herbrand model ofS, so it is in every Herbrand model ofS; it follows thatS plus⊥ ⇐ P (t) is E-unsatisfiable. Conversely, ifS plus⊥ ⇐ P (t) is E-unsatisfiable, then every modelof S must fail to satisfy⊥ ⇐ P (t), so must containP (t); thereforet ∈ LP (S). 2

The second lemma characterizes emptiness.

13

Lemma 2 Given anE-satisfiable setS of Horn clauses,P is empty inS if and onlyif S plus the so-calledquery clause⊥ ⇐ P (x) is E-satisfiable.

PROOF. If P is empty, then the least Herbrand model ofS does not contain anyground atom of the formP (t), hence makes⊥ ⇐ P (x) true.

Conversely, ifS plus⊥ ⇐ P (x) is E-satisfiable, then its least Herbrand modeldoes not contain any ground atom of the formP (t). Since every model ofS plus⊥ ⇐ P (x) is also a model ofS, the least Herbrand model ofS is included in thatof S plus⊥ ⇐ P (x), hence does not contain any ground atom of the formP (t)either; soP is empty inS. 2

The third lemma characterizesintersection-emptiness, that is, given finitely manypredicate symbolsP1, . . . , Pn, whetherLP1

(S) ∩ . . . ∩ LPn(S) is empty. (We say

for short that the intersection ofP1, . . . ,Pn is empty in this case.)

Lemma 3 Given anE-satisfiable setS of Horn clauses, the intersection ofP1,. . . , Pn is empty inS if and only if S plus the so-calledfinal intersection clause⊥ ⇐ P1(x), . . . , Pn(x) is E-satisfiable.

PROOF. The proof is similar. 2

3.3 Semilinear Sets, Vector Addition Systems with States, Branching VASS

A vector addition system with states, or VASS(Reutenauer, 1993), is a countermachine without zero-test. Alternatively, it is a finite automaton where transitionsare labeled with twop-tuples of integersνin, νout ∈ Np. A configurationis a paircomprised of a stateP and ap-tuple of natural numbersν ∈ Np, which we writeas an atomP (ν). If there is a transition from stateP1 to stateP , labeledνin, νout,then the VASS may evolve from the configurationP1(ν) to the configurationP (ν−νin + νout), providedν ≥ νin. It is understood that all operations, in particular+and≥, are computed componentwise.

Formally, we may recast this in the unifying language of Hornclauses as follows.A VASSis any finite set of clauses of the form

P (ν) (2)P (x + νout)⇐P1(x + νin) (3)

whereν, νin, νout ∈ Np.

14

Clauses (2) are calledinitial clauses, and clauses (3) aretransitions.

Sincep will usually be kept fixed, we don’t mention it in the definition. This fallsinto our general format of clauses modulo an equational theory: the signatureΣ iscomprised ofp distinct constantsa1, . . . , ap, plus one constant0 and one binaryfunction symbol+, and the equational theoryE is the theory of the free commu-tative monoid generated bya1, . . . ,ap, with addition+ and unit0. In other words,E is the theory ACU stating that+ is associative, commutative, and has0 as unit,on the signaturea1, . . . , ap, +, 0. Then the term

∑pi=1 niai represents the vector

(n1, . . . , np).

A VASS V where every atomP (t) uses the same predicateP is called aPetri net.Theplacesare the integersi, 1 ≤ i ≤ p, or equivalently thep distinct constantsa1,. . . , ap. Themarkingsare thep-tuplesν ∈ Np. If P (ν) is a clause (2) inV, thenν is called aninitial marking of V. Thetransitionsare the clauses of the form (3),which accords with our definition above.

Since we are only interested in the language recognized by a VASS, in the sense ofSection 3.2, that is in the sets of ground unit clausesP (ν) deducible from a VASSby unit resolution, we may without loss of generality assumethat, in transitions(3), for everyi, 1 ≤ i ≤ p, theith component ofνin and theith component ofνout

are not both non-zero. Then, lettingδ be the vectorνout − νin in Zp, there is noambiguity in writing such clauses

P (x + δ) ⇐ P1(x) (4)

understanding that unit resolution with the ground unit clauseP1(ν) generatesP (ν + δ), providedν + δ ∈ Np. This is in particular, up to the representationof transitions as clauses, the definition used by Reutenauer(1993).

Given any finite setsA andB = {ν1, . . . , νk} of vectors inNp, the smallest setLA,B containingA and such thatν ∈ LA,B andν ′ ∈ B imply ν + ν ′ ∈ LA,B, canalso be described as the set of all vectorsν0 +

∑ki=1 niνi, ν0 ∈ A, n1, . . . , nk ∈ N.

A linear setis any set of the formLA,B, and asemilinear setis any finite union oflinear sets. If everyδ in clauses (4) is inNp, i.e., consists of non-negative integers, inother words if transitions (3) are such thatνin = 0, then it is clear that the languagesof each predicateP in any VASS are semilinear sets. This is an instance of Parikh(1966)’s Theorem, see below. Conversely, every semilinearset can be describedas the language ofP in some collection of clauses (2) and (3) withνin = 0. Inparticular every semilinear set is recognized by some (computable) VASS. Theconverse fails, as shown by Hopcroft and Pansiot (1979), when p ≥ 5.

The semilinear sets are closed under intersection, union, complementation, and pro-jection. This is the fundamental observation behind Ginsburg and Spanier (1966)’sTheorem that the semilinear sets are exactly the Presburger-definable sets, i.e., the

15

sets ofp-tuples of natural numbers definable as those satisfying some formula ofPresburger arithmetic withp free variables.

Another fundamental result is Parikh (1966)’s Theorem. Recall that the commuta-tive image of a string built from symbolsa1, . . . , ap refers to the vector(n1, . . . , np)whereni is the number of occurrences ofai in the string. The commutative imageof a set of strings is the set of commutative images of its members. Parikh’s theo-rem states that the commutative image of any context-free language is a semilinearset. This result is effective in the sense that, given a context-free grammarG, wecan compute a finite family of finite setsAi, Bi such that the commutative image ofthe language produced byG is

⋃i LAi,Bi

. Parikh’s Theorem also states that everysemilinear set can be realized as the commutative image of some regular set.

One extension of VASS that we shall require here isbranching VASS, or BVASS.They were introduced in Verma (2003a); Verma and Goubault-Larrecq (2005), pre-cisely to solve the problems we present here. Since then de Groote et al. (2004)invented independently the same concept, under the name ofvector addition treeautomata(VATA), and showed that provability in the multiplicative-exponentialfragment of linear logic (MELL) was equivalent to reachability in VATA/BVASS.A BVASSis a finite set of initial clauses (2), of transitions (3), andof additionclausesof the form

P (x + y) ⇐ P1(x), P2(y) (5)

whereP , P1, P2 are predicate symbols.

If in all transitions (3) we haveνin = 0, then BVASS are nothing else but Parikh im-ages of context-free languages (Verma and Goubault-Larrecq, 2005), and thereforedefine just the semilinear sets, by Parikh’s Theorem. Otherwise, BVASS generalizePetri nets and VASS. It is unknown whether this generalization is proper.

The covering problemfor VASS or BVASS is, given a VASS or BVASSS and aground atomP (ν), whether there is a ground atomP (ν1) deducible fromS suchthatν1 ≥ ν. (We sayP (ν) can becoveredin S.) The VASS or BVASSS is boundedif and only if there are only finite ground atoms deducible from S. A placei isboundedin S if the set ofith componentsν[i] of vectorsν such thatP (ν) is de-ducible fromS is finite. These properties can be decided for VASS easily enough bynoting that VASS are well-structured transition systems (Finkel and Schnoebelen,2001). While BVASS are not even transition systems at all, a similar technique thatcomputes coverability sets backwards allows one to decide coverability similarly:see Goubault-Larrecq and Verma (2002, Lemma 5).

A more complex technique, in the VASS case, is the use of the Karp-Miller cover-ability tree (Karp and Miller, 1969), which computes a setKM(S) of generalizedatomsP (ν ′)—generalized in the sense thatν ′ ∈ (N ∪ {+∞})p—such that any

16

ground atomP (ν) can be covered in the VASSS if and only if KM(S) containssomeP (ν ′) with ν ′ ≥ ν. Moreover,KM(S) is finite and computable. This is be-cause the elements ofKM(S) are the labels of the Karp-Miller coverability tree,which is itself finite and computable.

The main result of Verma and Goubault-Larrecq (2005) is to extend this construc-tion to BVASS. To be precise, we have proved in op.cit. that, for any BVASSS,there is a finite setKM(S) (obtained from a generalization of Karp-Miller cover-ability tree to the case of BVASS) such that:

(1) For every ground atomP (ν) derivable fromS, there is a generalized atomP (ν ′) in KM(S) such thatν ′[i] = ν[i] wheneverν ′[i] 6= ∞.

(2) For every generalized atomP (ν ′) in KM(S), there is a ground atomP (ν)deducible fromS such thatν[i] = ν ′[i] wheneverν ′[i] 6= ∞. Moreover, wemay chooseν[i] as large as we wish—exceeding any prescribed boundK ∈N—for everyi such thatν ′[i] = ∞.

(3) Finally,KM(S) is finite and computable.

The first two items allow one to decide whether a given VASSS is bounded (checkthat no∞ sign occurs in any generalized atom ofKM(S)), and to decide thecovering problem: for any fixed ground atomP (ν), there exists a ground atomP (ν1) deducible fromS with ν1 ≥ ν if and only if there is a generalized atomP (ν ′) in KM(S) such thatν ′ ≥ ν. In the sequel, we shall in fact need more thanjust the fact that boundedness and coverability are decidable, and we require to beable to compute the setKM(S) itself.

The reachability problemis, given a VASS or BVASSS and a ground atomP (ν),whetherP (ν) is deducible fromS. This problem is decidable for VASS, by theMayr-Kosaraju algorithm Mayr (1984); Kosaraju (1982); Sacerdote and Tenney(1977); Lambert (1992); see Reutenauer (1993) for a nice anddetailed exposition.This algorithm is non-trivial, and of unknown complexity. The best known lowerbound is that the problem is EXPSPACE-hard (Mayr, 1984; Lipton, 1976). One ofthe ingredients in the decision algorithm is the Karp-Miller coverability tree. Eventhough the latter generalizes to BVASS, it is still unknown whether reachability isdecidable for BVASS (and in particular whether MELL provability is decidable).

4 Alternating Two-Way E-Tree Automata

While tree automata recognize sets of terms on some signatureΣ, E-tree automataare meant to recognize sets of equivalence classes of terms moduloE . In particular,whenE is the empty theory, we shall retrieve the standard notion oftree automata,whether one-way (the usual kind), alternating, or two-way.We start with one-way,i.e., run-of-the-millE-tree automata (Definition 4), and work our way towards the

17

more complicated notions like alternating automata (Definition 5) and two-wayautomata (Definition 6), with or without alternation. To obtain decidability in thecase of two-way AC automata, the push clauses involving AC symbols need to befurther restricted, which leads us to define AC-standard two-way AC-tree automata(Definition 9), which is the most general form of automata forwhich we showdecidability in this paper.

4.1 One-WayE-Tree Automata

Definition 4 (One-WayE-Tree Automata) An one-wayE-tree automaton, or E-tree automatonfor short,S, is a finite set of clauses of the form:

P (f(x1, . . . , xn))⇐P1(x1), . . . , Pn(xn) (6)P (x)⇐P ′(x) (7)

wheref ∈ Σ andP , P1, . . . ,Pn, P ′ are elements of a finite set of unary predicatesymbols called thestatesof the automaton, andx1, . . . ,xn are distinct variables in(6).

Clauses (6) are calledpop clauses, and clauses (7) areǫ-clauses.

This definition does not depend onE . However, we shall always understand thesemantics ofE-tree automata as that given in Section 3. In other words, we say“E-tree automaton” to stress the fact that they will always be understood moduloE .

The pop clauses (6) are ordinary tree automata transitions.Intuitively, (6) readsas “if x1 is recognized at stateP1, and . . . , andxn is recognized at statePn, thenf(x1, . . . , xn) is recognized at stateP ”. The ǫ-clauses (7) similarly correspond toepsilon transitions. A more thorough discussion of tree automata as clauses can befound in Goubault-Larrecq (2002) or in Frühwirth et al. (1991).

The restriction thatx1, . . . ,xn should be distinct variables in pop clauses (6) is toavoid technical problems in the sequel. Allowing repeated variables poses no prob-lem in the case of tree automata (i.e., whenE is the empty theory): using repeatedvariables, as inP (f(x, x)) ⇐ P1(x), would allow us to deal with tree automatawith equality constraints between brothers(Bogaert and Tison, 1992).

The careful reader will have noticed that we have not defined any initial or finalstates here. As far as initial states are concerned, they areuseless in tree automata,since0-ary transitions cater for them; i.e., pop clauses of the form P (c) ⇐, wherec is a0-ary function symbol (aconstant) just definesP as an initial state. We havechosen to let final states be specified independently of automata, because this ismore versatile in proofs. On the other hand, this shall forceus to talk of “stateP

18

being empty in automatonS”, instead of just saying thatS is empty. If some stateis explicitly specified as being final then the language recognized by the automatonwill be the set of terms recognized at the final state. Having only one final stateinstead of many causes no loss of expressiveness for the automata classes that weare interested in.

Given a predicate symbol (a state)P , the language of all terms recognized atPin an E-tree automatonS is already defined: see Section 3.2, and specialize thenotions defined there toE-tree automata.

Some readers may have read other definitions of languages of terms recognized atstatesP . One of the most common goes as follows. Arun of a termt against thetree automatonS is a tree, whose nodes are labeled by pairs(P, t)—let us writethemP (t) for convenience—, whereP is a state andt is a ground term, and suchthat every nodeP (f(t1, . . . , tn)) in the run hasn sonsP1(t1), . . . , Pn(tn), whereP (f(x1, . . . , xn)) ⇐ P1(x1), . . . , Pn(xn) is a transition (a pop clause) of the treeautomatonS. Thent is recognizedat P in S provided there exists a run with root(P, t).

A run is then just a derivation using rules of the form:

···

P1(t1) . . .

···

Pn(tn)P (f(x1, . . . , xn)) ⇐ P1(x1), . . . , Pn(xn)

P (f(t1, . . . , tn))

But this is just the unit resolution format; see Section 3.1.Conversely, any groundatomP (t) derivable by unit resolution (in particular, under the form(1)) from Sis clearly the root of a run. One may rightly claim that runsare unit resolutionderivations from the clauses defining the automatonS.

4.2 Alternating, Two-WayE-Tree Automata

Frühwirth et al. (1991) note in particular that so-called reduced regular unary-predicate programs, which generalize pop clauses andǫ-clauses properly in caseE is the empty theory, can be viewed as alternating tree automata (Slutzki, 1985).

Following this insight, let us define:

Definition 5 (Alternating E-Tree Automata) An alternatingE-tree automatonisany finite collection of pop clauses (6), ofǫ-clauses (7), and ofintersection clausesof the form:

P (x) ⇐ P1(x), . . . , Pn(x) (8)

19

wheren ≥ 2.

Note that intersection clauses are more powerful than final intersection clauses.The latter allow us merely to check intersection-emptinessof ordinary, i.e. non-alternating, automata. While intersection clauses are natural indeed, we shall seethat they cause some trouble in alternating AC-tree automata, making the empti-ness problem undecidable (Proposition 11). This is also whywe shall be interestedin intersection-emptiness (see Lemma 3): in the presence ofintersection clauses,intersection-emptiness would reduce to emptiness, but notso without them.

Another generalization of tree automata is two-wayness. Weuse here a definitionthat suits our needs, but is not entirely like usual definitions of two-way automata(Shepherdson, 1959). Two-wayness can be defined elegantly using clauses, as waspioneered in Frühwirth et al. (1991). This form of two-wayness is crucial in appli-cations to cryptographic protocols (Goubault-Larrecq et al., 2004). To take a typicalexample, here are the clauses describing what a Dolev-Yao intruder may know rel-ative to the use of (symmetric) encryptioncrypt:

I(crypt(M, K))⇐ I(M), I(K)

I(M)⇐ I(crypt(M, K)), I(K)

The first clause states that if the intruder knowsM and the keyK, he knows (candeduce) the ciphertextcrypt(M, K) (“M encrypted withK”); this is a pop clause.The second clauses states the converse, that the intruder may decrypt: if the intruderknows some ciphertextcrypt(M, K) and the appropriate keyK, then he knows theplaintextM . This is a push clause, as defined below.

Definition 6 (Two-Way, Alternating Two-Way E-Tree Automata) A two-wayE-tree automaton is any finite set of pop clauses (6), ofǫ-clauses (7), and ofpushclausesof the form:

Pi(xi)⇐P (f(x1, . . . , xn)), Pi1(xi1), . . . , Pik(xik) (9)

where1 ≤ i ≤ n, 1 ≤ i1, . . . , ik ≤ n, andi 6∈ {i1, . . . , ik}.

Similarly, analternating, two-wayE-tree automatonis any finite set of pop clauses(6), ofǫ-clauses (7), of intersection clauses (8), and of push clauses (9).

Just like pop clauses (6) can be used to construct new termsf(x1, . . . , xn) recog-nized atP from termsx1 recognized atP1, . . . ,xn recognized atPn, push clauses(9) destructterms. An intuitive reading of (9) is: “iff(x1, . . . , xn) is recognizedat P , andxi1 is recognized atPi1 , and . . . andxik is recognized atPik , thenxi isrecognized atPi”.

If k = 0 in (9), then we call this astandard push clause; otherwise, call this a

20

conditionalpush clause. More precisely:

Definition 7 (Standard, Conditional Push Clauses)Astandard push clauseis anyclause of the form:

Pi(xi)⇐P (f(x1, . . . , xn)) (10)

where1 ≤ i ≤ n. A conditional push clauseis any clause (9) withk 6= 0, i.e., apush clause that is not a standard push clause.

Accordingly, astandard (resp. alternating) two-wayE-tree automatonA is such thatevery push clause ofA is standard.

Given any setF of function symbols, we say thatA isF -standardif and only if foreachf ∈ F , push clauses of the form (9) are standard.

A standard push clause (10) would be written, using the notations of set constraints,asf−1

(i) (P ) ⊆ Pi, stating that the set of termsti such thatf(t1, . . . , tn) is recognizedatP , for somet1, . . . , ti−1, ti+1, . . . , tn, is contained in the set of terms recognizedatPi.

We end this tour ofE-tree automata by discussing the side-conditions on pushclauses, namely1 ≤ i ≤ n, 1 ≤ i1, . . . , ik ≤ n. and i 6∈ {i1, . . . , ik}. Thismeans that the variablexi on the left-hand side can only be used in the atomP (f(x1, . . . , xn)) but nowhere else on the right-hand side. Another presentationof push clauses is

Pi(xi) ⇐ P (f(x1, . . . , xn)), B1(x1), . . . , Bi−1(xi), Bi+1(xi+1), Bn(xn)

whereBj(xj) denotes any finite conjunctionPj1(xj), . . . , Pjnj(xj), for eachj. Note

that we explicitly exclude having some conjunctionBi(xi) on the right hand side.Not doing this, that is, allowing for the following more general kind of push clause,which we callgeneral push clauses,

Pi(xi) ⇐ P (f(x1, . . . , xn)), B1(x1), . . . , Bn(xn) (11)

is equivalent, or so we claim, at least in case of the theory ACof one or more asso-ciative and commutative symbols, to allowing for push clauses (9) plus intersectionclauses, provided there is at least one function symbol of arity one inΣ.

Indeed, it is clear that (11) can be encoded as

Pi(xi)⇐ q(xi), Bi(xi)

q(xi)⇐P (f(x1, . . . , xn)), B1(x1), . . . , Bi−1(xi−1), Bi+1(xi+1), . . . , Bn(xn)

21

by introducing a fresh predicate symbolq. The first clause is an intersection clause,and the second clause is a push clause of the form (9). Conversely, any intersectionclauseP (x) ⇐ P1(x), P2(x) can be encoded using general push clauses as

q(f(x))⇐P2(x)

P (x)⇐ q(f(x)), P1(x)

whereq is a fresh predicate symbol, andf is some function symbol of arity1; welet the reader show that the case of intersection clauses (8)with n > 2 reduces tothe casen = 2. This encoding works provided the theoryE is such that for anytermss andt, if f(s) = f(t) thens = t. This is clearly so for the theory AC of oneor more associative and commutative symbols.

In other words, using the general format (11) for push clauses would reintroducethe intersection clauses (8) in disguise.

4.3 AC-Tree Automata

We shall deal specifically in this paper with the following equational theory AC.

Definition 8 (AC) The theoryAC is defined on signaturesΣ that can be split in so-calledAC symbols+1, . . . ,+p, the remaining symbols being calledfree functionsymbols; AC is the theory of associativity and commutativity of+1, . . . , +p, i.e.,the theory axiomatized by:

s +i (t +i u) = (s +i t) +i u s +i t = t +i s

for everyi, 1 ≤ i ≤ p.

Accordingly, we have the notions of AC-tree automata, two-way AC-tree automata,standard two-way AC-tree automata, etc. Recall that we havealso definedF -standardtwo-way AC-tree automata (Definition 7). Letting the symbols in{+1, . . . , +p} beAC and those inΣ \ {+1, . . . , +p} be free, and specializing Definition 7, we get:

Definition 9 (Free-Standard, AC-Standard Two-Way AC-Tree Automata) A+i-push clause(1 ≤ i ≤ p) is a push clause (9) withf = +i, i.e., of one of the forms

P1(x1)⇐P (x1 +i x2)

P2(x2)⇐P (x1 +i x2)

P1(x1)⇐P (x1 +i x2), P12 (x2), . . . , P

k2 (x2)

22

P2(x2)⇐P (x1 +i x2), P11 (x1), . . . , P

k1 (x1)

where the first two are standard, and the last two are conditional.

A two-way (resp. two-way, alternating) AC-tree automaton is AC-standardif andonly if all +i-push clauses,1 ≤ i ≤ p, are standard.

A free-push clauseis a push clause (9):

Pi(xi) ⇐ P (f(x1, . . . , xn)), Pi1(xi1), . . . , Pik(xik)

wheref is free.

A two-way (resp. two-way, alternating) AC-tree automaton is free-standardif andonly if all free-push clauses,1 ≤ i ≤ p, are standard.

AC-standard two-way AC-tree automata will be the largest class of automata onwhich we shall obtain decidability results in this paper.

We briefly describe how the ACU case can be reduced to the AC case, where ACUis the theory where some or all symbols+i additionally have a unit0i. First createfresh stateszeroi and add clauseszeroi(0i) andzeroi(x+iy) ⇐ zeroi(x), zeroi(y)for all symbols+i. For every other stateq, add clausesq(x +i y) ⇐ q(x), zeroi(y)for every+i. For every clause of the formP (x +i y) ⇐ P1(x), P2(y), add clausesP (x) ⇐ P1(x), P2(y), zeroi(y) andP (x) ⇐ P2(x), P1(y), zeroi(y). The intuitionis that for every stateq in the ACU automaton an atomq(t) is derivable iffq(t′)is derivable for everyt′ obtained fromt by successive replacements of subtermss+00i by s and of subtermss by s+i0i. The clauseP (x) ⇐ P1(x), P2(y), zeroi(y)can be thought of asǫ-clauseP (x) ⇐ P1(x) together with intersection emptinesstest on statesP2 andzeroi. As we will show intersection-emptiness to be decidablefor AC-standard two-way AC-tree automata, hence such clauses do not increaseexpressiveness and can be effectively eliminated.

Other interesting equational theories are those of Abeliangroups (AG), which ex-tends ACU by requiring that every element have an inverse; and the theory ACUXof ACU symbols+i such thatt +i t = 0i, which extends AG. The latter is in factthe theory of the bitwiseexclusive oroperation, which has independent interest, al-ready in cryptographic protocol verification. See Verma (2003c,b, 2004) for resultson the latter theories; let us just say that the AG and ACUX theories are simpler todeal with than the AC and ACU cases.

We shall also sometimes mention the theory A of associativity alone, and the theoryACUI extending ACU with the idempotence axiomt +i t = t. While AC is thetheory of non-empty finite multisets, and ACU is the theory offinite multisets,ACUI is the theory of finite sets, with+i as union. Note that ACUX is also thetheory of finite sets, however with+i as symmetric difference.

23

5 Undecidability Results

The purpose of this section is to enumerate a few cases where emptiness is unde-cidable for (resp. alternating, two-way)E-tree automata. The stress is put on thetheory AC, but we also consider ACU and AG, the theory of Abelian groups. Themain lesson to be learnt here is that alternation causes undecidability.

Let E be an equational theory on some signatureΣ containing a symbol+, suchthatE entails that+ is associative and commutative. For anyn ∈ N, n ≥ 1, andany termt, write nt for t + . . . + t, wheret occursn times. Write

∑ki=1 niti for

the sumn1t1 + . . . + nktk, where it is assumed thatk ≥ 1 andni ≥ 1 for eachi,1 ≤ i ≤ k.

Definition 10 (Torsion-Free) An equational theoryE where+ is associative andcommutative istorsion-freew.r.t. pairwise distinct constantsa1, . . . ,ak iff

∑ki=1 niai =∑k

i=1 n′iai impliesni = n′

i for everyi, 1 ≤ i ≤ k.

The point is that torsion-free theories allow one to encode tuples(n1, . . . , nk) assums

∑ki=1 niai in a one-to-one manner. The theories AC, ACU, AG are torsion-

free; ACUX and ACUI are not. The above definition gives us the flexibility tochoose the constantsai. For example the constant0 which is unit of+ should notbe considered here.

Proposition 11 Let E be any theory, with an associative-commutative symbol+,which is torsion-free w.r.t. four constants. Emptiness is undecidable for alternating(one-way)E-tree automata.

PROOF. We use a reduction from the emptiness problem for r.e. sets. For everyr.e. setE, there is a two-counter machineM (with countersR1, R2) such thatMaccepts, starting withR1 = 0, exactly when the initial value ofR2 is in E. It thensuffices to encode configurations ofM that lead to acceptance using alternatingE-tree automata.

Recall that a two-counter machine (Minsky, 1961) is a finite labeled transition sys-tem with an initial stateq0, a final (acceptance) stateqf , and transitionsq a

−→q′

wherea may be IncRi, DecRi or ZeroRi, i ∈ {1, 2}. Inc Ri incrementsRi, DecRi checks whetherRi is≥ 1, and if so decrementsRi, and ZeroRi checks whetherRi = 0.

A configurationof the machineM is a triple(q, m, n) whereq is a state,m, n ∈ N

are the values ofR1 andR2 respectively.

We then use an encoding similar to that of Ibarra et al. (2001), except that thedirection of computation is reversed. By a remark of op.cit., three constants actually

24

suffice for this Proposition. We shall describe it using four, and let the reader do theexercise of realizing why one of them is not necessary. Letai

j, 1 ≤ i, j ≤ 2, bethe four constants in the statement of the proposition. Configurations(q, m, n) ofthe two-counter machine are encoded as ground atomsq((m + x)a1

1 + xa21 + (n +

y)a12 + ya2

2) wherex, y ≥ 1. IncrementingR1 will be simulated by addinga11,

while decrementing it will be simulated by addinga21, and similarly forR2. The

encoding is not one-to-one: e.g., the valuesx, y in the above encoding may be anypositive numbers. However we will ensure that at least one such atom is deduciblecorresponding to each configuration of the two-counter machine.

Introduce the clauses in Figure 2, whereis_a11, is_a1

2, is_a21, is_a2

2, r0,0, . . . , arepredicate symbols distinct from all states, andj ∈ {1, 2} Also, with each stateq

Predicate defined by recognizes:

is_aji is_aj

i (aji ) justaj

i

zeroi zeroi(x + y)⇐ is_a1i (x), is_a2

i (y) na1i + na2

i , n ≥ 1

zeroi(x + y)⇐ onei(x), is_a2i (y)

onei onei(x + y)⇐ is_a1i (x), zeroi(y) (n + 1)a1

i + na2i , n ≥ 1

r0,0 r0,0(x + y)⇐ zero1(x), zero2(y) ma11 + ma2

1 + na12 + na2

2,

m, n ≥ 0

nni nni(x)⇐ zeroi(x) (n + p)a1i + pa2

i ,n ≥ 0, p ≥ 1

nni(x + y)⇐ is_a1i (x), nni(y)

state state(x + y)⇐nn1(x), nn2(y) (m + p)a11 + pa2

1 + (n + q)a12

+qa22, m, n ≥ 0,p, q ≥ 1

st+1 st+1 (x + y)⇐ is_a11(x), state(y) (m + p)a1

1 + pa21 + (n + q)a1

2

+qa22,n ≥ 0,m, p, q ≥ 1

st+2 st+2 (x + y)⇐ is_a12(x), state(y) (m + p)a1

1 + pa21 + (n + q)a1

2

+qa22, m ≥ 0, n, p, q ≥ 1

st01 st01(x + y)⇐ zero1(x), nn2(y) pa11 + pa2

1 + (n + q)a12 + qa2

2,

n, p, q ≥ 0

st02 st02(x + y)⇐nn1(x), zero2(y) (m + p)a11 + pa2

1 + qa12 + qa2

2,

m, p, q ≥ 0

Fig. 2. Auxiliary clauses used in encoding two-counter machines

of M , associate two fresh predicate symbolsq+1 andq+

2 , distinct from each other,

25

from every state, and from every predicate introduced above. Add the intersectionclausesq+

i (x) ⇐ q(x), st+i (x) for i ∈ {1, 2}; q+i recognizes every configuration

recognized byq such thatRi is not zero. We translate the machineM as follows:

(1) Acceptance:qf (x) ⇐ state(x).

(2) qa

−→q′, a = Inc Ri: q(x + y) ⇐ is_a2i (x), q′+i (y).

(3) qa

−→q′, a = DecRi: q(x + y) ⇐ is_a1i (x), q′(y).

(4) qa

−→q′, a = ZeroRi: q(x) ⇐ q′(x), st0i (x).

Let S be the set of clauses thus obtained. We have the following twoclaims:

Claim 12 If (q, m, n) is a configuration ofM that leads to acceptance, i.e., to someconfiguration(qf , m

′, n′), then for someN ≥ 1, the atomq((m + x)a11 + xa2

1 +(n + y)a1

2 + ya22) is deducible fromS by positive unit resolution for allx, y ≥ N .

PROOF. We do induction on the number of moves made by the machine fromtheconfiguration(q, m, n) to lead to acceptance. If the number of moves is zero thenit meansq = qf hence we can use the clauseqf(x) ⇐ state(x) to deduce all atomsof the formqf((m + x)a1

1 + xa21 + (n + y)a1

2 + ya22) for x, y ≥ 1. HenceN = 1

satisfies the requirements. The main interesting case is when the machine makes anincrement move from the configuration(q, m, n). Suppose it incrementsR1 to goto configuration(q′, m + 1, n) which leads to acceptance. By induction hypothesiswe have someN ′ ≥ 1 such thatq′((m + 1 + x)a1

1 + xa21 + (n + y)a1

2 + ya22) is

deducible for allx, y ≥ N ′. Thenq′+1 ((m + 1 + x)a11 + xa2

1 + (n + y)a12 + ya2

2) isalso deducible for allx, y ≥ N ′. We use the clauseq(x + y) ⇐ is_a2

1(x), q′+1 (y) todeduceq((m + 1 + x)a1

1 + (x + 1)a21 + (n + y)a1

2 + ya22) for all x, y ≥ N ′. Hence

by lettingN = N ′ +1 we see that we can deduce atomsq((m+x)a11 +xa2

1 +(n+y)a1

2 + ya22) for all x, y ≥ N . 2

Claim 13 All unit clauses deducible fromS by positive unit resolution of the formq(t) are such thatt is a ground term of the form(m+x)a1

1 +xa21 +(n+y)a1

2 +ya22,

for somex, y ≥ 1, where(q, m, n) leads to acceptance inM .

The first claim means that, although we may not deduce all representatives of theconfigurations of the two-counter machine leading to acceptance, we can deduce atleast one representative (actually all representatives except finitely many of them).In particular we see that emptiness of the r.e. set represented by the two-countermachine is equivalent to the emptiness of the stateq0 in our corresponding automa-ton. 2

In Section 4.1, we dismissed pop clauses with equality testsbetween brothers, thatis, clauses of the formP (f(x1, . . . , xn)) ⇐ P1(x1), . . . , Pn(xn) wherexi = xj

26

for somei 6= j. The reason is that it is all too easy to encode intersection clausesusing pop clauses with equality tests between brothers, together with standard pushclauses; e.g., instead of writingP (x) ⇐ P1(x), P2(x), we may write the clauses:

q(f(x, x))⇐P1(x), P2(x)

P (x)⇐ q(f(x, y))

whereq is a fresh predicate symbol, andf is any free binary function symbol. Itfollows:

Proposition 14 Let E be any theory, with an associative-commutative symbol+and a free binary symbolf , which is torsion-free w.r.t. four constants. Emptinessis undecidable for standard two-wayE-tree automata with equality tests betweenbrothers.

In the cases of AC, ACU and AG, we can even reduce the number of constantsto one, saya, since we may encode the four constants needed earlier as, say, a,f(a, a), f(a, f(a, a)) andf(a, f(a, f(a, a))).

We saw in Section 4.2 that general push clauses allowed one toencode intersectionclauses, too. The encoding required a unary symbolf to be present in the signature.However we let the reader verify that a similar encoding is possible using a binaryAC symbol+ in place of the unary symbolf . Let ageneral two-wayE-tree au-tomatonbe a collection of pop clauses (6),ǫ-clauses (7), and general push clauses(11). The following is then immediate.

Proposition 15 Let E be any theory, with an associative-commutative symbol+,which is torsion-free w.r.t. four constants. Emptiness is undecidable for generaltwo-wayE-tree automata.

It is interesting to note that unlike in case of theories AC, ACU and AG, intersection-emptiness is decidable for tree automata modulo ACUX, even in the presence ofalternation and general two-wayness, and these automata are equally expressive asone-way ACUX automata (Verma, 2004). We finish this enumeration of cases ofundecidability by mentioning the following, which deals with the theory A of as-sociativity, without commutativity. This shows that the decidable cases modulo Aare even rarer than modulo AC.

Assume our signature contains only one associative symbol+ and finitely manyconstants. Ground terms, e.g.,a+b+a+c+c can then be equated with non-emptywords, hereabacc.

Proposition 16 The languages recognized by one-way A-tree automata on a sig-nature containing only one associative symbol, and finitelymany constants, are thecontext-free languages not containing the empty word.

27

One-way A-tree automata are not closed under intersection.Intersection-emptinessis undecidable for one-way A-tree automata. Both results hold even when all freefunction symbols are constants.

PROOF. Any context-free languageL not containing the empty word can be de-scribed by a grammar consisting of productions of the form:

P → a (12)P →P1 P2 (13)

whereP , P1, P2 are non-terminals, anda are terminals (letters), and there is astartnon-terminalP0. This is the so-called Chomsky normal form (Davis and Weyuker,1985). The semantics of such productions are described exactly by Horn clauses ofthe form:

P (a) represents (12)P (x + y) ⇐ P1(x), P2(y) represents (13)

where+ is an associative symbol denoting concatenation. The languageL is thenexactly the set of termst built on + and the constantsa modulo associativity thatare recognized at stateP0 in the resulting one-way A-automaton. The conversetranslation, from one-way A-tree automata to context-freegrammars, is obvious.

It is well-known that context-free languages not containing the empty word arenot closed under intersection, and that the problem of emptiness of intersection oftwo context-free languages is undecidable (Davis and Weyuker, 1985), whence theclaim. 2

Note that emptinessis decidable for one-way A-tree automata, even in polynomialtime; see Lemma 17 below. Since one-way A-tree automata are not closed underintersection, but they are closed under unions, they are notclosed under comple-mentation either.

Alternating one-way A-tree automata are a natural generalization of one-way A-tree automata which are closed under intersection. This generalization has beenstudied earlier, in the case where the signature contains only the symbol+ andunit 0 besides constants, by Okhotin (2001), under the apt name of conjunctivegrammars. Just as for alternating AC-tree automata, membership is decidable forconjunctive grammars, again in polynomial time, while emptiness is undecidable.In the AC case, membership is NP-hard (Verma et al., 2005) already for one-wayautomata (without alternation).

28

Note that one-wayE-tree automata are always closed under unions, trivially, forevery equational theoryE : if S1 andS2 are two one-wayE-tree automata, then forevery fresh predicate symbolP , the one-wayE-tree automatonS = S1 ∪ S2 ∪{P (x) ⇐ P1(x), P (x) ⇐ P2(x)} is such thatLP (S) = LP1

(S1) ∪ LP2(S2).

Note finally that emptiness of one-wayE-tree automata is always decidable; thiscan also be deduced from Ohsaki and Takai (2002), Lemma 2, andthe fact thatOhsaki’s regular equational tree languages coincide with languages ofE-tree au-tomata, whenE is a linear theory.

Lemma 17 LetE be an equational theory. For every predicate symbolP , for everyone-wayE-tree automatonS, the set of ground terms recognized atP in S moduloE is exactly the set of ground termss such thats ≈E t for some ground termtrecognized atP in S modulo the empty theory.

In particular, for every equational theoryE , emptiness of one-wayE-tree automatais decidable in polynomial time.

PROOF. The first claim is by induction on unit resolution proofs. In one direction,let s be any ground term such thatP (s) is derivable by a positive unit resolutionproof moduloE from S, and show that there is a ground termt such thats ≈E t forsome ground termt recognized atP in S modulo the empty theory. The least trivialcase is whenP (s) has been derived by a pop clauseP (f(x, y)) ⇐ P1(x), P2(y):then s ≈E f(s1, s2) such that we have shorter derivations ofP1(s1) andP2(s2)moduloE ; the induction hypothesis gives us two ground termst1 ≈E s1 andt2 ≈E

s2, and the required termt is f(t1, t2).

In the other direction, every termt recognized atP in S modulo the empty theoryis also recognized atP in S moduloE . We conclude because, by definition, statesP in E-tree automata recognizeE-equivalence classes of terms.

The second claim follows from the first and the fact that emptiness is decidablein polynomial time for one-way tree automata (Comon et al., 1997; Gécseg andSteinby, 1997), by standard marking techniques. In a nutshell, given any one-waytree automaton, erase every argument of predicate symbols;i.e., replace every popclauseP (f(x1, . . . , xn)) ⇐ P1(x1), . . . , Pn(xn) by the propositional clauseP ⇐P1, . . . , Pn, and everyǫ-clauseP (x) ⇐ P ′(x) by P ⇐ P ′. ThenP is non-emptyin the input tree automaton if and only ifP is derivable from the translated setof propositional Horn clauses; deciding the latter can be done in polynomial time(Dowling and Gallier, 1984). 2

Before we end this section, let us recall that although emptiness is undecidablefor alternating AC-tree automata, some problems, in particular the membership

29

problem, are decidable.

Lemma 18 Membership is decidable for alternating AC-tree automata.

PROOF. A naive strategy for deciding whether termt is accepted at stateq is asfollows. Let the setS of subterms oft be defined inductively as follows:t ∈ S, iff(t1, . . . , tn) ∈ S for freef then eachti ∈ S, and ift1 + t2 ≈AC s ∈ S thent1 ∈ S.Then we apply the automata clauses to obtain more and more derivable facts of theform p(s), s ∈ S, till no such facts can be further obtained. Then we check whetherp(t) has already been obtained.2

The careful reader will notice that the proof of Proposition11 establishes that wecan encode any r.e. set using alternating AC-tree automata,in some sense. See inparticular Claims 12 and 13. If we were indeed able to encode any r.e. set, thiswould contradict the above lemma. The explanation of the paradox lies in the factthat the encoding of Proposition 11 is a relation, not a function: each counter ma-chine configuration has infinitely many representations as ground atoms, and in ourencoding we derive all but finitely many representatives of each of the requiredconfigurations.

Recall that emptiness is undecidable but membership is decidable for conjunctivegrammars. We have just shown that this is again the case with alternating AC-treeautomata.

In the rest of the paper, we exclude alternation from consideration, and deal withtwo-way AC-tree automata. However, intersection-emptiness will be interesting tous, mainly because of the results of Goubault-Larrecq et al.(2004).

6 Deciding The Constant-Only Case

Because of the negative results of Section 5, we must restrict the format of clauses.We first consider two-way AC-tree automata, as defined in Section 4, restricted tothe constant-only case. The latter means that we consider inthis section that thesignatureΣ consists ofp constantsa1, . . . ,ap, and exactly one AC symbol+. Thismight seem like a drastic restriction. However we shall understand that this is whereall the difficulties concentrate.

Since all free function symbols are constantsai, pop clauses (6) are just unit clausesP (ai), or of the formP (x + y) ⇐ P1(x), P2(y). Two-way AC-tree automata, inthe constant-only case, are then AC0-automata, as defined in Definitions 19 and 22below.

30

In general, we shall use clauses of the following form throughout this section:

P (x + y)⇐P1(x), P2(y) (14)

P (ai) (15)

P (x)⇐P1(x) (16)

P (x)⇐P1(x + y) (17)

⊥⇐P1(x), . . . , Pk(x) (18)

⊥⇐P (u) (19)wherex andy are distinct variables, andu is a closed term. Clauses (14) are+-popclauses, (15)base clauses, (16)ǫ-clauses, (17) (AC-)standard+-push clauses, (18)final intersection clauses, or query clauseswhenk = 1, and (19)test clauses.

Definition 19 (AC0-Automaton) AnAC0-automatonis a finite set of+-pop clauses(14), of base clauses (15), and ofǫ-clauses (16).

By standard marking techniques, it is decidable whether anygiven stateP of anAC0-automatonA is empty inA.

Things get more complex in the presence of final intersectionclauses. First, notethat ground terms in the constant-only case are finite linearcombinations

∑pi=1 niai,

with ni ∈ N and∑p

i=1 ni ≥ 1: equivalently, non-zerop-tuples of natural numbers.Now observe that if we read clauses (14), (15), (16) modulo associativity (A) in-stead of mod AC, what we get is exactly a context-free grammar: (14) is usuallywrittenP → P1, P2, (15) isP → ai, (16) isP → P1. We have already made this re-mark in the proof of Proposition 16. We can then state the following reformulationof Parikh’s Theorem.

Lemma 20 (Parikh) Call a set of non-zerop-tuples of natural numbersAC0-recognizableif and only if it isLP (A) for some AC0-automatonA, modulo the identification ofthe ground sum

∑pi=1 niai with thep-tuple(n1, . . . , np).

For every AC0-automatonA, LP (A) is an effective semilinear set, i.e., it is a semi-linear set which is computable fromA.

The AC0-recognizable sets are the semilinear sets of non-zero tuples of integers.

The results of Section 5 imply that sets recognized by AC0-automata extended withgeneral push clauses or even just intersection clauses are in generalnot semilinear.Nonetheless, any finite intersection of semilinear sets is semilinear, so:

Lemma 21 The satisfiability of sets of clauses (14), (15), (16), (18),(19) is decid-able.

PROOF. Let A be all non-test, non-final intersection clauses in the givensetS,⊥ ⇐ P i

1(x), . . . , P ini

(x) be the final intersection clauses inS, and⊥ ⇐ P j(uj)be the test clauses inS. By Lemma 20 the languagesLP i

j(A) and LP j(A) are

effectively semilinear. ThenS is E-unsatisfiable if and only if for somei, LP i1

(A)∩. . .∩LP i

ni(A) 6= ∅, or for somej, uj ∈ LP j (A), which is effectively decidable.2

31

In particular, intersection-emptiness of AC0-automata, and whether a given tuple isrecognized by an AC0-automaton, are decidable problems.

More generally, Parikh’s Theorem implies that AC0-recognizable languages are ef-fectively closed under intersection, union, complementation, and projection, usingthe obvious fact that any semilinear setA can be effectively converted to an AC0-automaton recognizing exactlyA.

The results of Verma and Goubault-Larrecq (2005, Section 4)imply that satisfia-bility is also decidable in the presence of standard+-push clauses (17). (The caseof conditional+-push clauses is still open.)

Definition 22 (Two-Way AC0, Standard Two-Way AC0) Astandard two-way AC0-automatonis a finite set of+-pop clauses (14), of base clauses (15), ofǫ-clauses(16), and of standard+-push clauses (17).

A two-way AC0-automatonmay additionally containconditional+-push clauses

P (x)⇐P1(x + y), P2(y) (20)

Showing that the emptiness of standard two-way AC0-automata is decidable is easy,using resolution techniques. We let the reader check that input resolution with eagersubsumption and splitting terminates. Termination is by Dickson’s Lemma, whichstates that the≤ ordering onNp is a well-quasi ordering. The resulting algorithmresembles those based on well-structured transition systems (Finkel and Schnoebe-len, 2001), except that splitting is necessary as well. The curious reader may findthe details in Appendix A. We do not deal with this in the body of the paper, aswe are interested in the more general intersection-emptiness problem, and the latterdoes not seem to be amenable to resolution techniques.

Intersection-emptiness of standard two-way AC0-automata is decidable. We reca-pitulate the main results of Verma and Goubault-Larrecq (2005, Section 4).

Lemma 23 Given a standard two-way AC0 automatonA, we can effectively con-struct a BVASSV, such that for everyP in A,

∑pi=1 niai ∈ LP (A) iff P (ν) is

derivable fromV, whereν = (n1, ..., np).

Remark 24 Given anyν ′ ∈ (N ∪∞)p, the setL<(ν ′) of all non-zero vectorsν ∈Np such thatν < ν′ is semilinear. Indeed, lettingν ′ = (n′

1, . . . , n′p), (n1, . . . , np) is

in L<(ν ′) if and only if

n1 ≤ n′1 ∧ . . . ∧ np ≤ n′

p

∧ (n1 < n′1 ∨ . . . ∨ np < n′

p)

∧ (n1 6= 0 ∨ . . . ∨ np 6= 0)

32

wheren ≤ ∞ andn < ∞ are abbreviations for the formula true. This is a Pres-burger formula, henceL<(ν ′) is semilinear by Ginsburg and Spanier (1966)’s The-orem. We also writeL<(ν ′) the set of sums

∑pi=1 niai where(n1, ..., np) is inL<(ν ′).

This should entail no confusion.

Theorem 25 There is an effective procedure transforming any standard two-wayAC0-automatonA into an AC0-automatonB such that for everyP in A, LP (A) =LP (B).

This is Verma and Goubault-Larrecq (2005, Theorem 2). This is shown as follows.Let V be the BVASS equivalent toA computed using Lemma 23. Let us equatevectors(n1, . . . , np) with sums

∑pi=1 niai. Given any standard+-push clauseC,

sayP (x) ⇐ P1(x + y), in A, the setLC of terms recognized atP in A usingthis clause is the set of all vectorsν that are strictly covered, i.e., strictly less thansome vectorν1 recognized atP1 in V. By the properties ofKM(S) (Section 3.3),LC is the set of all vectors such thatν < ν′ for some generalized configurationν ′ such thatP1(ν

′) is the conclusion of some covering derivation. Since there areonly finitely many covering derivations,LC is therefore a finite union of sets of theform L<(ν ′), which are semilinear by Remark 24. Note however that this transla-tion from standard two-way AC0-automata to AC0-automata involves a construc-tion similar to the Karp-Miller tree construction for VASS,and hence does not giveus any primitive-recursive upper bound on the time and spacerequirement.

In particular,

Corollary 26 The set of terms recognized at any state of any standard two-wayAC0-automata is effectively semilinear.

So the languages of standard two-way AC0-automata are effectively closed un-der intersection, union, complementation and projection.Also, by Theorem 25 andLemma 21:

Corollary 27 The AC-satisfiability of sets of clauses of the form (14)–(19) is de-cidable.

Standard two-way AC0-automata have been criticized in the past because they canonly describe semilinear sets, and as such may be felt to lackexpressiveness. Whilethis is arguable, notice that the translation from standardtwo-way AC0-automata isfar from trivial, and probably requires non-primitive recursive time and space. Ourfeeling is that they describe “non-trivially-semilinear sets”, in a similar way as, say,any non-primitive recursive decision problem (i.e., wherethe answer is a Booleanvalue) describes “non-trivial Booleans”.

Another answer to this critique is that conditional+-push clauses, which we cannothandle at the moment, extend this expressive power dramatically. In a conditional+-push clauseP (x) ⇐ P1(x + y), Q1(y), . . . , Qn(y), the atomsQ1(y), . . . , Qn(y)

33

are called theconditions. Let thecondition predicatesbe all the symbolsQ such thatQ(y) is a condition in some clause ofA. CallA aPetri two-way AC0-automatonifand only if, for every condition predicateQ in A, the only clauses inA of the formQ(t) ⇐ A1, . . . , An are base clausesQ(ai).

It is easy to extend Lemma 23 to the case of Petri two-way AC0-automata: replaceclausesP (x) ⇐ P1(x+y), Q1(y), . . . , Qn(y) in A by all BVASS clausesP ′(x) ⇐P1(x + δi), wherei ranges over those indices such thatQ1(ai), . . . , Qn(ai) areclauses inA, plus the two families of clausesP i(x + (−δi)) ⇐ P ′(x) andP (x +δi) ⇐ P i(x), 1 ≤ i ≤ p ensuring that zero vectors are excluded.

It is then also clear that, up to some coding details related again to the inclusionor exclusion of zero vectors, every language accepted by a BVASS is acceptedby a Petri two-way AC0-automaton (even without standard+-push clauses). Thisrelies on the expressiveness of conditional+-push clauses. Since every languageaccepted by some VASS is trivially accepted by a BVASS, turning to Petri two-way AC0-automata would extend the expressive power of our automatato includeat least languages expressible as sets of reachable Petri net markings. Emptiness ofPetri two-way AC0-automata reduces (is in fact equivalent to) emptiness of lan-guages accepted by BVASS, which is decidable (Verma and Goubault-Larrecq,2005). However, we are more interested in intersection-emptiness; and intersection-emptiness includes the problem of intersection-emptinessof BVASS, hence ofVASS. The latter problem is in turn equivalent to Petri net reachability (Reutenauer,1993), which is decidable by the rather complex Mayr-Kosaraju algorithm, and isEXPSPACE-hard (Lipton, 1976). Intersection-emptiness, or equivalently reacha-bility for branchingVASS is not known to be decidable at the moment. In otherwords, intersection-emptiness of Petri two-way AC0-automata is not known to bedecidable.A fortiori intersection-emptiness of two-way AC0-automata is not knownto be decidable. We would find it surprising nonetheless if any of these problemswere undecidable.

Corollary 27 was the main result of this section. We shall useit to show thatintersection-emptiness of two-way, non-alternating AC-automata with only stan-dard+-push clauses is decidable in Section 8.

7 Closure Properties of One-Way and Standard Two-Way AC-tree automata

Our aim in this section is to show that one-way AC-tree automata are closed underintersection, and that AC-standard two-way AC-tree automata can be effectivelyconverted to one-way AC-tree automata. This way, intersection-emptiness reducesto emptiness of one-way AC-tree automata, which is decidable by Lemma 17.

34

7.1 Reduction to One AC Symbol

We first show that two-way AC-tree automata withp AC symbols+1, . . . ,+p areequally expressive as two-way AC-tree automata with just one AC symbol+, sothat we need to study the decidability and closure properties of AC-standard two-way AC-tree automata with only one AC symbol, which is where the main technicalchallenges lie.

Definition 28 (Standard Translation) Let Σ′ be the signature consisting of allfree symbols ofΣ, one AC symbol+, and 2p fresh unary free symbols⌣i and⌢i, 1 ≤ i ≤ p.

For every function symbolg, a g-term is any term of the formg(t1, . . . , tn). Thisalso makes sense moduloAC, i.e., any term equal to someg-term moduloAC is ag-term; and given any termt, there is a unique function symbolg such thatt is ag-term.

Given any ground termt on the signatureΣ, define the ground termt∗ on thesignatureΣ′ by:

• if t = f(t1, . . . , tn) with f a free symbol, thent∗ = f(t∗1, . . . , t∗n);

• if t ≈AC t1 +i . . . +i tn, with 1 ≤ i ≤ p, n ≥ 2, and tj are not+i-terms,1 ≤ j ≤ n, thent∗ =⌢i (⌣i (t∗1) + . . .+ ⌣i (t∗n)).

The well-parenthesized terms on the signatureΣ′ are the terms of typeU in thefollowing typing system, whose types are the constantsU , U1, . . . ,Up:

t1 : U . . . tn : Uf free inΣ

f(t1, . . . , tn) : U

t : Ui t′ : Ui

t + t′ : Ui

t : U

⌣i (t) : Ui

t : Ui

⌢i (t) : U

for all i, 1 ≤ i ≤ p.

Clearlyt∗ is well-parenthesized for every termt on the signatureΣ. Also, the typeof every ground term on the signatureΣ′ is unique if it exists. It follows that thefollowing definition makes sense:

Definition 29 For every well-typed term in the system of Definition 28 (on the sig-natureΣ′), definet◦ by:

• if f is a free symbol inΣ, andt = f(t1, . . . , tn), thent◦ = f(t◦1, . . . , t◦n);

• if t =⌣i (u) or t =⌢i (u), thent◦ = u◦;• if t is a sumt1 + . . . + tn, of typeUi, wheret1, . . . , tn are not sums, thent◦ =

t◦1 +i . . . +i t◦n.

Clearly(t∗)◦ ≈AC t for every ground termt onΣ.

35

Lemma 30 For any two-way AC-tree automatonA, we can effectively compute atwo-way AC-tree automatonA∗ such thatLP (A∗) is the set of all well-parenthesizedground termsu on the signatureΣ′ such thatu◦ ∈ LP (A), for every predicate sym-bol P occurring inA. If in additionA is AC-standard thenA∗ is also AC-standard.

PROOF. For each predicate symbolP occurring inA, createp fresh predicatesymbolsP 1, . . . ,P p, and add the clauses

P i(⌣i (x))⇐P (x) (21)

P (⌢i (x))⇐P i(x) (22)

P (x)⇐P i(⌣i (x)) (23)

P i(x)⇐P (⌢i (x)) (24)

for everyi, 1 ≤ i ≤ p, and every predicate symbolP . Call a+i-clauseany clausewhose sole function symbol is+i. Then, in every+i-clause ofA, 1 ≤ i ≤ p,replace every predicate symbolP by P i and every occurrence of+i by +. Forexample, replace the+i-pop clauseP (x +i y) ⇐ P1(x), P2(y) by the clauses

P i(x + y)⇐P i1(x), P i

2(y) (25)

Let A∗ be the two-way AC-tree automaton thus obtained.

We first claim that every ground term recognized at some stateP in A∗ is of typeU , and every ground term recognized at some stateP i is of typeUi. In particular,LP (A∗) is a set of well-parenthesized ground terms.

We then show by structural induction on the derivation ofP (u), resp.P i(u), fromA∗ thatP (u◦) is derivable fromA, for any ground termu : U ,resp.u : Ui. This isstraightforward.

Finally we show by structural induction on the derivation ofP (t) from A, wheretis any ground term onΣ, thatP (u) is derivable fromA∗ for everyu : U such thatu◦ ≈AC t, andP i(u) is derivable fromA∗ for everyu : Ui such thatu◦ ≈AC t,1 ≤ i ≤ p. This is again straightforward.2

The automatonA∗ is well-parenthesizedin the sense that its state set can be parti-tioned intop + 1 setsP, P1, . . . ,Pn (namelyP is the set of states ofA, andPi isthe set of states of the formP i, 1 ≤ i ≤ p), so that every ground term recognizedat someP ∈ P is of typeU , and every ground term recognized at someP i ∈ P isof typeUi, 1 ≤ i ≤ p.

Conversely, we have:

36

Lemma 31 LetB be any one-way AC-tree automaton that accepts only well-typedterms. ThenB can be effectively converted into a one-way AC-tree automatonB◦

such that, for everyP ∈ P, LP (B◦) is the set of all termsu◦ whereu ranges overLP (B).

PROOF. As for ordinary (i.e. one-way non-equational) tree automata, it is easy todecide whether some state is redundant, i.e. not involved inany derivation leadingto the final state. Hence without loss of generality we may assume thatB containsno redundant state. SinceB accepts only well-typed terms, typing imposes thatBis well-parenthesized and the only pop andǫ-clauses inB are of the form:

(1) P (f(x1, . . . , xn)) ⇐ P1(x1), . . . , Pn(xn) with f free, andP, P1, . . . , Pn ∈ P;(2) orP i(x + y) ⇐ P i

1(x), P i2(y) with P i, P i

1, Pi2 ∈ Pi (1 ≤ i ≤ p);

(3) orP i(⌣i (x)) ⇐ P (x) with P ∈ P andP i ∈ Pi (1 ≤ i ≤ p);(4) orP (⌢i (x)) ⇐ P i(x) with P ∈ P andP i ∈ Pi (1 ≤ i ≤ p);(5) or P (x) ⇐ Q(x) with P, Q ∈ P or P i(x) ⇐ Qi(x) with P i, Qi ∈ Pi (1 ≤

i ≤ p).

Then replace the clauses of the second kind byP i(x+i y) ⇐ P i1(x), P i

2(y), clausesof the third kind byP i(x) ⇐ P (x), and clauses of the fourth kind byP (x) ⇐P i(x). The claim is then clear. 2

In the following, and unless told otherwise, we shall therefore assume that the sig-natureΣ′ consists of one AC symbol+, the others being free symbols.

Definition 32 (Functional Term, +-Part) A term isfunctional if and only if it isof the formf(t1, . . . , tn), wheref is a free function symbol inΣ′.

Given any AC-standard two-way AC-tree automatonA, the +-part A+ of A isthe subset of all clauses inA that are eitherǫ-clauses (16)P (x) ⇐ P1(x), or+-pop clauses (14)P (x + y) ⇐ P1(x), P2(y), or standard+-push clauses (17)P (x) ⇐ P1(x + y).

7.2 Reusing Derivations

For short, let us callderivationof A from a set of definite clauses any positive unitresolution derivation ofA from the same set.

Starting from a one-way AC-tree automaton, we first observe that we may sliceany derivation in layers, some of them using+-pop clauses, the others using popclauses on free function symbols. The point of Lemma 34 belowis that we mayfreely exchange sublayers for others.

37

Definition 33 (Functional Support) LetA be any two-way AC-tree automaton onΣ, and∆ any derivation ofP (t) from A. Let ∆1, . . . , ∆n be the set of maximalsubderivations of∆ ending with instances of free pop clauses. For1 ≤ j ≤ n, letthe conclusion of∆j bePj(tj), so thattj is a functional term,1 ≤ j ≤ n. Call themultiset of atomsP1(t1), . . . , Pn(tn) obtained this way thefunctional supportof ∆.

Let us clarify that in the above definition, two subderivations at two distinct posi-tions are considered distinct, even if they have identical structure. We intend to usethe above derivation in cases where∆ involves only clauses of one-way automata.HoweverA may contain other clauses in general. Note that, going up in∆ fromthe conclusionP (t), we must eventually encounter an instance of a free pop clause.(In fact, we must eventually encounter an instance of a free pop clause of the formP (a) for some constanta.) Then∆ can be described as in Lemma 34 below.

Lemma 34 Let∆ be a derivation of the form

···∆1

P1(t1). . .

···∆n

Pn(tn)

and epsilon−clausesusing + −pop, standard + −push,

P (t)

from the setA of definite clauses, where we mean thatPj(tj) is the conclusionof ∆j, 1 ≤ j ≤ n, andP (t) is derived fromP1(t1), . . . , Pn(tn) and only+-popclauses,+-push clauses andǫ-clauses, for some fixedi, 1 ≤ i ≤ p.

If t1, . . . , tn are functional terms, then there are indices1 ≤ i1 < . . . < ik ≤ nsuch that:

(1) t ≈AC ti1 + . . . + tik(2) A+ |=AC P (xi1 + . . . + xik) ⇐ P1(x1), . . . , Pn(xn).(3) If no+-push clause (17) is inA, thenk = n, i.e.,t ≈AC t1 + . . . + tn.

PROOF. The triangle part of the derivation can just sum terms, or extract sum-mands. The point of the Lemma is that, whatever we do, each subscripti will occurat most once in the final sumti1 + . . . + tik . This is because+-pop clauses areconstrained to add sums coming from disjoint subderivations∆i.

We then observe the following

38

Lemma 35 LetA be any set of definite clauses. IfA+ |=AC P (xi1 + . . . + xik) ⇐P1(x1), . . . , Pn(xn), andP1(s1), . . . , Pn(sn) are ground atoms derivable fromA,thenP (si1 + . . . + sik) is derivable fromA.

PROOF. From the assumptions we getA |=AC P (si1 +. . .+sik), soA union⊥ ⇐P (si1 + . . .+ sik) is AC-unsatisfiable by Lemma 1. Since positive unit resolution iscomplete, the empty clause⊥ is then derivable fromA union⊥ ⇐ P (si1 + . . . +sik). The last step must be a resolution step of⊥ ⇐ P (si1 + . . .+sik) against someunit clause, which must therefore beP (si1 + . . . + sik). 2

Combined with Lemma 34, this will allow us to replace derivations from the two-way AC-tree automatonA as on the left below by derivations as on the right:

···∆1

P1(t1). . .

···∆n

Pn(tn)


P (t) ≈AC P (ti1 + . . . + tik)

−→

···

P1(s1). . .

···

Pn(sn)


P (si1 + . . . + sik)

7.3 Intersection of One-Way AC-Tree Automata

Let A1 andA2 be two one-way AC-tree automata built over sets of predicatesP1

andP2. We will construct a one-way AC-tree automatonA such thatL(P1,P2)(A) =LP1

(A1)∩LP2(A2) for every pair of statesP1 in P1, P2 in P2. Here(P1, P2) will be

a fresh state, in such a way that there is a one-to-one correspondence between freshstates(P1, P2) and pairs of states inP1 × P2. This should remind the reader of theproduct construction in ordinary, non-equational, one-way tree automata (Gécsegand Steinby, 1997).

We however need more states, and introduce yet new predicatesymbols (P1, P2),for all pairsP1 ∈ P1, P2 ∈ P2. We intend the state(P1, P2) in the AC-tree au-tomatonA1 × A2 to be constructed below to recognize the intersection of thelanguages recognized by statesP1 and P2 in automataA1 andA2 respectively.

The state (P1, P2) is intended to recognize only the functional terms recognized at(P1, P2).

We reduce the problem to the constant-only case as follows. Introduce the setA ={aP1,P2

| P1 ∈ P1, P2 ∈ P2}; the constantsaP1,P2are pairwise distinct and fresh.

39

In the construction below we use the constantaP1,P2as an abstraction for the terms

to be recognized at(P1, P2).

Define the one-way AC0-automatonB1 = A1+ ∪{P1(aP1,P2) | P1 ∈ P1, P2 ∈ P2}.

Similarly, define the one-way AC0-automatonB2 = A2+ ∪ {P2(aP1,P2) | P1 ∈

P1, P2 ∈ P2}. The one-way AC0-automataB1 andB2 are built on the signatureA ∪ {+}. ForP1 ∈ P1, P2 ∈ P2, LP1

(B1) andLP2(B2) are effectively semilinear

sets by Lemma 20. SoLP1(B1) ∩ LP2

(B2) is also effectively semilinear. Hencewe can define an AC0-automatonAP1,P2

on the signatureA ∪ {+}, with a finalstateFP1,P2

such thatLFP1,P2(AP1,P2

) = LP1(B1) ∩ LP2

(B2). We may also assumewithout loss of generality that the AC0-automataAP1,P2

’s are built from mutuallydisjoint sets of fresh states.

The required one-way AC-tree automatonA1 ×A2 consists of:

(1) a clause(P1, P2)(x) ⇐ FP1,P2(x) for eachP1 ∈ P1, P2 ∈ P2;

(2) all clauses of(AP1,P2)+, for all P1 ∈ P1, P2 ∈ P2;

(3) a clauseR(x) ⇐ (P ′1, P

′2)(x) for each base clauseR(aP ′

1,P ′

2) in AP1,P2

, foreachP1 ∈ P1, P2 ∈ P2;

(4) a clause (P1, P2)(f(x1, . . . , xn)) ⇐ (P11, P21)(x1), . . . , (P1n, P2n)(xn) foreach pair of clauses

P1(f(x1, . . . , xn))⇐P11(x1), . . . , P1n(xn) in A1

P2(f(x1, . . . , xn))⇐P21(x1), . . . , P2n(xn) in A2

wheref is free.

Proposition 36 Let A1 and A2 be two one-way AC-tree automata. IfP1(t) andP2(t) are derivable fromA1 andA2 respectively, then(P1, P2)(t) is derivable fromA1 ×A2.

PROOF. We do induction of the sum of the sizes of the derivations ofP1(t) andP2(t). Let t ≈AC t1 + . . . + tn where eachti is functional. For eachj ∈ {1, 2},the derivation ofPj(t) has a functional support of the formPj1(t1), . . . , Pjn(tn) byLemma 34, andAj+ |=AC Pj(x1 + . . . + xn) ⇐ Pj1(x1), . . . , Pjn(xn).

The atomsPj1(aP11,P21), . . . , Pjn(aP1n,P2n

) are derivable inBj , by construction ofBj . Also, sinceAj+ = Bj+, we observe thatBj+ |=AC Pj(x1 + . . . + xn) ⇐Pj1(x1), . . . , Pjn(xn). So the atomPj(aP11,P21

+ . . . + aP1n,P2n) is derivable from

Bj by Lemma 35,j ∈ {1, 2}. It follows thatFP1,P2(aP11,P21

+ . . . + aP1n,P2n) is

derivable fromAP1,P2.

This derivation has a functional support of the formR1(aP11,P21), . . . ,Rn(aP1n,P2n

),such that(AP1,P2

)+ |=AC FP1,P2(x1+. . .+xn) ⇐ R1(x1), . . . , Rn(xn), by Lemma 34

again. Since(AP1,P2)+ ⊆ (A1 ×A2)+ by item 2 of the product construction above,

40

it obtains(A1 ×A2)+ |=AC FP1,P2

(x1 + . . . + xn) ⇐ R1(x1), . . . , Rn(xn) (*)For 1 ≤ i ≤ n sinceti is functional we have some freefi of arity ki and termst1i , . . . , t

ki

i such thatti ≈AC fi(t1i , . . . , t

ki

i ). SinceP1i(ti) andP2i(ti) are in the func-tional supports of the derivations ofP1(t) andP2(t) respectively, there are free popclauses

Pji(fi(x1, . . . , xki)) ⇐ P 1

ji(x1), . . . , Pki

ji (xki)

in Aj, 1 ≤ i ≤ n, j ∈ {1, 2}, and such that for allk, 1 ≤ k ≤ ki, the atomsP k

ji(tki ) are derivable fromAj, with derivations strictly smaller than those ofPj(t).

By induction hypothesis(P k1i, P

k2i)(t

ki ) is derivable fromA1 ×A2.

By item 4 of the product construction, the clause(P1i, P2i)(fi(x1, . . . , xki)) ⇐

(P 11i, P

12i)(x1), . . . , (P

ki

1i , Pki

2i )(xki) is in A1 × A2. Hence the atom (P1i, P2i)(ti) is

derivable fromA1×A2. Also, since the clauseRi(aP1i,P2i) is inAP1,P2

, by item 3 of

the product construction the clauseRi(x) ⇐ (P1i, P2i)(x) is inA1×A2. Hence theatomRi(ti) is derivable fromA1 ×A2, 1 ≤ i ≤ n. From (*), and using Lemma 35,FP1,P2

(t1 + . . . + tn), i.e.,FP1,P2(t), is derivable fromA1 ×A2. Finally we use the

clause(P1, P2)(x) ⇐ FP1,P2(x) given by item 1 of the product construction to get

a derivation of(P1, P2)(t) from A1 ×A2. 2

Proposition 37 Let A1 andA2 be two one-way AC-tree automata. For anyP1 ∈P1, P2 ∈ P2, for any ground termt onΣ′, if (P1, P2)(t) is derivable fromA1 ×A2,thenP1(t) andP2(t) are derivable fromA1 andA2 respectively.

PROOF. By inspection of the clauses inA1 × A2, the only ground terms rec-

ognized at predicates of the form(Q1, Q2) are functional terms, using clauses ofitem 4 of the product construction. It also follows that for any predicateR such thatR(aP ′

1,P ′

2) is a base clause inAP1,P2

, R recognizes only functional terms inA1×A2.

We do induction on the size of the derivation of(P1, P2)(t). Since(P1, P2)(x) ⇐FP1,P2

(x) is the only clause inA1 × A2 with the predicate(P1, P2) on the left of⇐, the given derivation of(P1, P2)(t) ends by an application of(P1, P2)(x) ⇐FP1,P2

(x), soFP1,P2(t) is derivable fromA1 × A2 using a strictly smaller deriva-

tion. Again from examination of the clauses inA1 ×A2, the derivation ofFP1,P2(t)

has a functional support of the form(P11, P21)(t1), . . . , (P1n, P2n)(tn), with t ≈AC

t1 + . . .+ tn, where the predicates(P1i, P2i) only recognize functional terms, by the

remark above. Furthermore, there are clausesRi(x) ⇐ (P1i, P2i)(x) from item 3of the product construction, so thatR1(t1), . . . , Rn(tn) are derived just below

(P11, P21)(t1), . . . , (P1n, P2n)(tn) respectively.

41

By item 3 of the product construction again, there are base clausesRi(aP1i,P2i)

in AP1,P2. Also AP1,P2+ |=AC FP1,P2

(x1 + . . . + xn) ⇐ R1(x1), . . . , Rn(xn),by Lemma 34. SoFP1,P2

(aP11,P21+ . . . + aP1n,P2n

) is derivable fromAP1,P2, by

Lemma 35.

For 1 ≤ i ≤ n, sinceti is functional, we have some freefi of arity ki and terms

t1i , . . . , tki

i such thatti = fi(t1i , . . . , t

ki

i ). Since (P1i, P2i)(ti) is derivable fromA1 ×A2, this must be derived using some clause given by item 4 of the product construc-

tion, say (P1i, P2i)(fi(x1, . . . , xki)) ⇐ (P 1

1i, P12i)(x1), . . . , (P

ki

1i , Pki

2i )(xki) in A1 ×

A2. In particular, there are clausesPji(fi(x1, . . . , xki)) ⇐ P 1

ji(x1), . . . , Pki

ji (xki) in

Aj, j ∈ {1, 2}. Furthermore, for allk, 1 ≤ k ≤ ki, the atom(P k1i, P

k2i)(t

ki ) is deriv-

able fromA1×A2 using a derivation strictly smaller than the one of(P1, P2)(t). Byinduction hypothesisP k

ji(tki ) is derivable fromAj. It follows thatPji(ti) is derivable

from Aj, 1 ≤ i ≤ n, j ∈ {1, 2}.

SinceFP1,P2(aP11,P21

+ . . . + aP1n,P2n) is derivable fromAP1,P2

, we obtain thatPj(aP11,P21

+. . .+aP1n,P2n) is derivable fromBj , j ∈ {1, 2}, sinceLFP1,P2

(AP1,P2) =

LP1(B1) ∩ LP2

(B2). The corresponding derivation must have a functional supportPj1(aP11,P21

), . . . , Pjn(aP1n,P2n) such thatBj+ |=AC Pj(x1 + . . . + xn) ⇐ Pj1(x1),

. . . , Pjn(xn). By definition,Bj+ = Aj+. Also, since the atomsPj1(t1), . . . , Pjn(tn)are derivable fromAj, the atomPj(t1 + . . . + tn), i.e., P (t), is derivable fromAj. 2

If P1 and P2 are the chosen final states ofA1 andA2 respectively then we let(P1, P2) be the final state ofA. From Proposition 36 and Proposition 37 we haveL(P1,P2)(A1 ×A2) = LP1

(A1) ∩ LP2(A2). We conclude that:

Theorem 38 The languages recognized by one-way AC-tree automata are effec-tively closed under intersection.

By now, several authors have studied one-way AC-tree automata and their variants.In particular, given Lemma 17, and upto details like whetherto consider the ACtheory or the ACU theory, similar results have been shown by Seidl et al. (2003)and Boneva and Talbot (2005).

7.4 Elimination of Standard+-Push Clauses

We now show that adding standard+-push clauses does not increase expressivenessof one-way automata. We have already proved this result for the case where allfree symbols are constants, i.e. we have shown that two-way AC0 automata areas expressive as AC0 automata (Theorem 25). We now consider the general casewhere we have free symbols of arbitrary arity. As before, we concentrate on thecase where there is exactly one AC symbol+.

42

Let A be an automaton with predicates fromP and containing free pop clausesas well asǫ-clauses (16),+-pop clauses (14), and standard+-push clauses (17).We will construct an equivalent automatonC containing only free pop clauses andǫ-clauses (16) and+-pop clauses (14) (no+-push clause (17)). We use the fact thatemptiness of a state is decidable for the former class of automata: see Proposition 64in Appendix A, which also shows that testing emptiness in this class is in NP.

Hence we can assume without loss of generality thatA does not contain any emptystate. Introduce a setA = {aP | P ∈ P} of fresh constants. Define the standardtwo-way AC0-automatonB = A+ ∪ {P (aP ) | P ∈ P}. B is a standard two-wayAC0 automaton on the signatureA∪{+}. HenceLP (B) is a semilinear set for eachP ∈ P, by Corollary 26. Therefore we can construct a one-way AC0 automatonAP with some final stateFP such thatLFP

(AP ) = LP (B). We assume that theAP ’s are based on mutually disjoint sets of fresh predicates.

The required one-way automatonC consists of

(1) a clauseP (x) ⇐ FP (x) for eachP ∈ P;(2) the clauses ofAP + for eachP ∈ P;(3) a clauseQ(x) ⇐ R(x) for each constant clauseQ(aR) in someAP ;(4) a clauseP (f(x1, . . . , xn)) ⇐ P1(x1), . . . , Pn(xn) for each free pop clause

P (f(x1, . . . , xn)) ⇐ P1(x1), . . . , Pn(xn) in A;

whereP are fresh predicate symbols, for eachP ∈ P.

Lemma 39 For every ground termt on Σ′, if P (t) is derivable inA, then it isderivable inC.

PROOF. We do induction on the size of the derivation ofP (t). Let the derivationof P (t) have functional supportP1(t1), . . . ,Pn(tn). From Lemma 34 we have1 ≤i1 < . . . < ik ≤ n such thatt ≈AC ti1 + . . . + tik andA+ |=AC P (xi1 + . . . +xik) ⇐ P1(x1), . . . , Pn(xn). SinceA+ = B+, we obtainB+ |=AC P (xi1 + . . .+ xik) ⇐ P1(x1), . . . , Pn(xn). Also the atomsP1(aP1

), . . . , Pn(aPn) are derivable

from B, by definition ofB. HenceP (aPi1+ . . . + aPik

) is derivable fromB byLemma 35. SoFP (aPi1

+ . . .+aPik) is derivable fromAP . SinceAP has no clause

(17), by Lemma 34 this derivation has a functional support ofthe formR1(aPi1),

. . . , Rk(aPik) andAP + |=AC FP (x1 + . . . + xk) ⇐ R1(x1), . . . , Rk(xk). Since

AP + ⊆ C by item 2 of the construction, it followsC+ |=AC FP (x1 + . . . + xk) ⇐ R1(x1), . . . , Rk(xk) (*)

Also since the clauseRj(aPij) is inAP , henceRj(x) ⇐ Pij(x) is in C for 1 ≤ j ≤

k, by item 3 of the construction.

For 1 ≤ i ≤ n sinceti is functional we have some freefi of arity ki and termst1i , . . . , t

ki

i such thatti ≈AC fi(t1i , . . . , t

ki

i ). SincePi(ti) is in the functional supportof the derivation ofP (t), there is some clausePi(fi(x1, . . . , xki

)) ⇐ P 1i (x1), . . . ,

43

P ki

i (xki) such that for1 ≤ j ≤ ki, the atomP j

i (tji ) is derivable fromA usinga derivation strictly smaller than that ofP (t). By induction hypothesisP j

i (tji ) isderivable fromC for 1 ≤ j ≤ ki. So, for1 ≤ i ≤ n Pi(ti) is derivable fromCusing the clausePi(fi(x1, . . . , xki

)) ⇐ P 1i (x1), . . . , P

ki

i (xki) given in item 4 of the

construction. Hence for1 ≤ j ≤ k, Rj(tij ) is derivable fromC using the clauseRj(x) ⇐ Pij (x).

Hence from (*) and by Lemma 35,FP (ti1 + . . . + tik), that is,FP (t), is derivablefrom C. Finally we use the clauseP (x) ⇐ FP (x) from item 1 of the constructionto get a derivation ofP (t) from C. 2

Lemma 40 For everyP ∈ P, for every ground termt on Σ′, if P (t) is derivablefromC then it is derivable fromA.

PROOF. We do induction on the size of the derivation ofP (t). SinceP (x) ⇐FP (x) is the only clause withP on the left of⇐, the derivation ofP (t) uses theclauseP (x) ⇐ FP (x) as the last clause, soFP (t) is derivable fromC using aderivation strictly smaller than that ofP (t). From Lemma 34 and from examinationof the clauses inC, the derivation ofFP (t) has a functional support of the formP1(t1), . . . , Pn(tn) such thatt ≈AC t1+ . . .+tn, the clause used immediately abovethe root of the derivation ofPi(ti) is of the formRi(x) ⇐ Pi(x) andAP + |=AC

FP (x1 + . . . + xn) ⇐ R1(x1), . . . , Rn(xn). Also for 1 ≤ i ≤ n, the clauseRi(aPi)

is inAP . HenceFP (aP1+ . . . + aPn

) is derivable fromAP . SoP (aP1+ . . . + aPn

)is derivable fromB. By Lemma 34, this derivation has a functional support of theform P1(aP1

), . . . ,Pn(aPn), Q1(aQ1

), . . . ,Qm(aQm) (m ≥ 0) andB+ |=AC P (x1 +

. . . + xn) ⇐ P1(x1), . . . , Pn(xn), Q1(y1), . . . , Qm(ym). By definitionB+ = A+,hence

A+ |=AC P (x1 + . . . + xn) ⇐ P1(x1), . . . , Pn(xn), Q1(y1), . . . , Qm(ym) (*)For 1 ≤ i ≤ n, sinceti is functional we have some freefi of arity ki and termst1i , . . . , t

ki

i such thatti = fi(t1i , . . . , t

ki

i ). SincePi(ti) is in the functional supportof the derivation ofFP (t) hence we have a clausePi(fi(x1, . . . , xki

)) ⇐ P 1i (x1),

. . . , P ki

i (xki) in C corresponding to some clausePi(fi(x1, . . . , xki

)) ⇐ P 1i (x1),

. . . , P ki

i (xki) in A and for1 ≤ j ≤ ki, the atomP j

i (tji ) is derivable fromC usinga derivation strictly smaller than that ofP (t). By induction hypothesisP j

i (tji ) isderivable fromA for 1 ≤ j ≤ ki. Hence for1 ≤ i ≤ n, Pi(ti) is derivablefrom A using the clausePi(fi(x1, . . . , xki

)) ⇐ P 1i (x1), . . . , P

ki

i (xki). Also since

A contains no empty states, for1 ≤ i ≤ m we have ground termssi such thatQi(si) is derivable fromA. So from (*),P (t1 + . . . + tn), i.e.,P (t), is derivablefrom A. 2

If P is the final state ofA then we letP be the final state ofC. From Lemmas 39and 40,LP (C) = LP (A). We conclude that

44

Theorem 41 Standard two-way AC-tree automata without free push clauses canbe effectively reduced to equivalent one-way AC-tree automata.

7.5 Elimination of Free Push Clauses

We have seen that we can add standard+-push clauses to one-way AC-tree au-tomata without increasing their expressiveness. Now we show that we can furtheradd free push clauses without increasing expressiveness, by showing how to elim-inate the free push clauses. (Note that the free push clausesneed not be standard,contrarily to+-push clauses, i.e., we consider AC-standard two-way AC-tree au-tomata.)

We use a saturation procedure that iteratively adds newǫ-clauses so that finally thefree push clauses become redundant.

We first define one step of the saturation procedure. LetA be an AC-standard two-way AC-tree automaton with predicates fromP. Let A1 be the part ofA withoutthe free push clauses.

Trivially A+ ⊆ A1.

We define the transition relation⊲ as follows. We letA ⊲ A∪ {R(xi) ⇐ Qi(xi)}provided:

1 A contains a free push clauseR(xi) ⇐ P (f(x1, . . . , xn)), P1(xi1), . . . , Pk(xik);2 A contains a free pop clauseQ(f(x1, . . . , xn)) ⇐ Q1(x1), . . . , Qn(xn) (with

the same free function symbolf );3 A+ |=AC C for some clauseC = P (x) ⇐ Q(x), R1(x1), . . . , Rp(xp) (p ≥ 0);4 for eachj ∈ {1, . . . , p} there is a ground termsj onΣ′ such thatRj recognizes

sj in A1;5 for eachj ∈ {1, . . . , k} there is a ground termtij onΣ′ such that bothPi and

Qij recognizetij in A1;6 for eachj ∈ {1, . . . , n} \ {i, i1, . . . , ik}, there is a ground termtj on Σ′ such

thatQj recognizestj in A1;7 and no clauseR(x) ⇐ Qi(x) is already inA;

Some remarks are necessary. In step 3, it is sufficient to consider the (finitelymany) clauses in whichR1, . . . , Rp are mutually distinct (the so-calledcondensedclauses). This is because, wereR1 equal toR2 for example, the clausesP (x) ⇐Q(x), R1(x1), R2(x2), . . . , Rp(xp) andP (x) ⇐ Q(x), R2(x2), . . . , Rp(xp) wouldbe logically equivalent. For each condensed clauseC = P (x) ⇐ Q(x), R1(x1),. . . , Rp(xp), the conditionA+ |=AC C is then decidable by skolemizing, i.e., bytesting whetherA+ union the clauses−P (a), +Q(a), +R1(a1), . . . , Rp(ap) isAC-unsatisfiable, wherea, a1, . . . , ap are fresh constants. Equivalently, by test-

45

ing whetherA+ union the final intersection clause⊥ ⇐ P ′(x), P (x) and the unitclauses+P ′(a), +Q(a), +R1(a1), . . . , Rp(ap) is AC-unsatisfiable, whereP ′ issome fresh predicate symbol. This is decidable by Corollary27, since this clauseset is a standard two-way AC0-automaton.

Also, from Theorems 38 and 41 emptiness and intersection-emptiness problemsare decidable for standard two-way AC-tree automata without free push clauses,so conditions 4, 5 and 6 are effectively testable. Hence we can effectively checkwhetherA ⊲ A ∪ {R(xi) ⇐ Qi(xi)}. Since there are only finitely manyǫ-clausesR(xi) ⇐ Qi(xi), we can also compute allǫ-clausesR(xi) ⇐ Qi(xi) such thatA ⊲ A ∪ {R(xi) ⇐ Qi(xi)}.

This saturation step is harmless:

Lemma 42 LetA be any AC-standard two-way AC-tree automaton. IfA ⊲ A ∪{R(xi) ⇐ Qi(xi)}, thenA ∪ {R(xi) ⇐ Qi(xi)} andA derive exactly the sameground atoms onΣ′.

PROOF. Every ground atom derivable fromA is clearly derivable fromA∪{R(xi) ⇐Qi(xi)}. Conversely, it is sufficient to show thatR(ti) is derivable fromA assum-ing Qi(ti) is derivable fromA. For j ∈ {1, . . . , n} \ {i}, let tj be as in item 5 (ifj is in {i1, . . . , ik}) or as in item 6 (otherwise) above.Q(f(t1, . . . , tn)) is deriv-able fromA using the free pop clause given in item 2. Forj ∈ {1, . . . , p} let sj

be as in item 4 above. ThenP (f(t1, . . . , tn)) is derivable fromA using the clauseP (x) ⇐ Q(x), R1(x1), . . . , Rp(xp) of item 3, and the factsQ(f(t1, . . . , tn)) andR1(s1), . . . , Rp(sp). R(ti) is then derivable using the free push clause given initem 1, the factP (f(t1, . . . , tn)) and the factsP1(ti1), . . . , Pk(tik) guaranteed byitem 5. 2

Given an AC-standard two-way AC-tree automatonA our saturation procedureconsists of (don’t care non-deterministically) generating a sequenceA0(= A) ⊲

A1 ⊲ A2... until no new clause can be added. This always terminates because thereare only a finite number ofǫ-clausesR(xi) ⇐ Qi(xi) possible. Let the final, sat-urated, AC-standard two-way AC-tree automaton beB. Then we remove the freepush clauses fromB to getB1. This step is also harmless:

Lemma 43 Let B be a AC-standard two-way AC-tree automaton in⊲-normalform, andB1 be obtained fromB by removing all free push clauses. The set ofground atoms onΣ′ derivable fromB and fromB1 are the same.

PROOF. That any ground atom derivable fromB1 is also derivable fromB is ob-vious. To show the converse, it is sufficient to show that a derivation fromB which

46

uses a free push clause only in the last step and nowhere else,can be converted to aderivation fromB1; the general case follows by induction on derivations.

Assume we have got a derivation ofR(ti) using the free push clauseR(xi) ⇐P (f(x1, . . . , xn), P1(xi1), . . . , Pk(xik) in the last step. Hence the atomsP (f(t1, . . . , tn)),P1(ti1), . . . ,Pk(tik) are derivable inB1. From Lemma 34 the derivation ofP (f(t1, . . . , tn))has a functional support of the formQ(f(t1, . . . , tn)), R1(s1), . . . ,Rp(sp) (p ≥ 0)such thatB+ |=AC P (x) ⇐ Q(x), R1(x1), . . . , Rp(xp). The derivation ofQ(f(t1, . . . , tn))must use some clauseQ(f(x1, . . . , xn)) ⇐ Q1(x1), . . . , Qp(xp) as the last clause.HenceQ1(t1), . . . , Qn(tn) are derivable fromB1. Since conditions 1–6 are satis-fied,B ⊲ B ∪ {R(xi) ⇐ Qi(xi)}, unless some clauseR(x) ⇐ Qi(x) is alreadyin B. But B is ⊲-normal, soR(x) ⇐ Qi(x) is in B, hence inB1. Using the latterclause, and sinceQi(ti) is derivable fromB1, we obtain thatR(ti) is derivable fromB1. 2

Hence the two-way automatonA is equivalent to the automatonB1. Hence freepush clauses can be effectively eliminated from an AC-standard two-way AC au-tomaton. From Theorem 41 it follows:

Theorem 44 AC-standard two-way AC-tree automata can be effectively reducedto one-way AC-tree automata recognizing the same language.

Corollary 45 AC-standard two-way AC-tree automata are effectively closed underintersection and their intersection-emptiness problem isdecidable.

Although we have focused mainly on decidability in this paper, recent results (Vermaet al., 2005) show that intersection-non-emptiness is NP-complete in the absenceof +-push clauses, when the number of languages to be intersected is bounded bya fixed constant. The NP-completeness result holds even whenthe automata arerestricted to be one-way AC0. It follows that the decision problem mentioned inCorollary 45, when restricted to a fixed number of languages to be intersected,is NP-hard. In case the number of languages to be intersectedin not bounded,intersection-non-emptiness is DEXPTIME-hard, since intersection-non-emptinessof non-equational tree automata is a special case of it (Seidl, 1994).

8 Going Further

The decision procedure of Section 7 eventually adds newǫ-clauses, and removesfree push clauses. There is another way to derive the same result, using resolu-tion and splittingless splitting. This is based on results by Goubault-Larrecq et al.(2004), which we recapitulate. This will allow us to show, additionally, that intersection-emptiness is decidable for two-way AC-tree automata (not just for AC-standard

47

such automata) as soon as it is for constant-only two-way AC-tree automata. There-fore, the constant-only case indeed concentrates all difficulties, as we have claimedearlier.

Again, we only need to consider the case of one AC symbol+, by Lemma 30 andLemma 31. We require the following definition.

Definition 46 (Blocks, Complex Clauses)Ablock is any clause of the form±1P1(x)∨. . . ∨±nPn(x), for thesamevariablex. We abbreviate such blocksB(x).

A complex clauseis any clause of the form∨m

i=1 ±iPi(f(x1, . . . , xn)) ∨ B1(x1) ∨. . . ∨ Bn(xn), whereB1, . . . , Bn are blocks andm ≥ 1 (with thesamef and thesame set of variablesx1, . . . , xn as arguments off )

Note that every clause from any two-way, alternatingE-tree automata is either ablock or a complex clause.

Imagine we would like to decide intersection-emptiness of two-way AC-tree au-tomata. LetS be a set of two-way AC-tree automata clauses, including query andfinal intersection clauses. To decide whetherS is AC-satisfiable, we use orderedresolution with selection, eagerǫ-splitting, and elimination of tautologies and for-ward subsumed clauses. As shown in Goubault-Larrecq et al. (2004, Section 4.1),this only derives blocks and complex clauses again, and there are only finitely manyof them. So this strategy indeed decidesS, in deterministic exponential time. . .modulo the empty theory. In the case where there is an AC symbol +, this strategyin general does not terminate (Goubault-Larrecq et al., 2004, Section 4.2), becausethe+-clauses, i.e., the clauses whose only function symbol is+, generated by res-olution can grow without bounds.

The intuition behind the procedures of Goubault-Larrecq etal. (2004) is as fol-lows. Imagine for the moment that we are using just resolution to decide the AC-satisfiability of automata clauses, modulo AC. Then any proof is a tree whose nodesare labeled by clauses; if resolution is applied to the side premisesC1, . . . ,Cn andthe main premiseC, with conclusionC ′, thenC ′ will label a node whose sons arelabeled withC1, . . . ,Cn, C. Splitting would complicate matters quite a lot here. Ifwe overlook the problem with splitting for the moment, and ifwe ignore the neces-sity of using splitting literalsq, Goubault-Larrecq et al. (2004) show that, as longas we deal with blocks and complex clauses with only free function symbols (allbut+), only finitely many clauses, either blocks or similar complex clauses, can beproduced. As soon as+ comes into play, we may get larger and larger+-clauses.But, if such clauses eventually participate in deriving theempty clause, it must bethe case that one+-clause thus derived eventually resolves with other clauses to geta conclusionC that is either directly the empty clause, or can resolve withcomplexclauses not containing+. Since no term headed by+ unifies with a term headedby f , with f 6= +, and provided we only unify on maximal atoms,C can only bea disjunction of literals of the form±P (x), with x a variable. HenceC must split

48

into blocks.

This is tentatively pictured in Figure 3; the leaves of the derivation (at the top) areclauses in the initial clause setS. Resolution steps inside the white zones are thoseamong blocks andfree complex clauses, that is complex clauses in which+ doesnot occur. These must terminate since they only generate finitely many clauses.Resolution steps inside the grey zones produce arbitrarilymany, arbitrarily large+-clauses. This leads us to the following idea: instead of applying resolution insidethe grey zones, try toguessthe fat dots, which are the interface points betweengrey zones and white zones. Forbid resolution to act on+-clauses (this preventsus from using resolution to derive clauses inside the grey zones), and compensatethis by adding a rule that infers the fat dot clauses, at the bottom of grey zones,directly from the clauses at the top of grey zones: this is theoracle rule. Althoughthis does not seem practical at all, Goubault-Larrecq et al.(2004) use this to derivea complete (but unsound) oracle, and therefore give a sufficient condition for AC-satisfiability; this was then used to automatically verify the IKA.1 protocol in theso-called pure eavesdropper case. We use this idea to derivedecidability resultsinstead. Let us notice however that the fat dots, which are splittable disjunctions ofblocks, are only finitely many.

��

��

��

��

��

��

��

��

Blocks and complex clauses

Splittable disjunctions of blocks

Arbitrarily large+-clauses

Legend:

leaves inS

Fig. 3. Grey zones, fat dots, white zones

The results of Goubault-Larrecq et al. (2004) apply to clauses of one of the fol-lowing form. We take the numbering from op.cit. Also, we letQ0 be the set ofall splitting literalsq of the formpB(x)q, whereB(x) is any non-empty negativeblock. If P containsp predicate symbols, thenQ0 contains2p − 1 elements. Thenotation[∨ + q] denotes an optional literal+q in disjunction with the rest of theclause. Anon-trivial clauseis a clause containing at least one function symbol.

Definition 47 (4,5,6) Consider the following kinds of Horn clauses.

(4) C[∨ + q], whereC is a block andq ∈ Q0;(5) C ∨ −q1 ∨ . . . ∨ −qm[∨ + q], whereC is a free complex clause,m ≥ 0, and

q1, . . . , qm, q ∈ Q0;

49

(6) C[∨ + q], whereC is a non-trivial+-clause, andq ∈ Q0.

Clearly all clauses that we consider in this paper are of one of the forms(4), (5),(6).

Let us abstract whatever may happen inside the grey zone by a unique rule: startingfrom a setS of clauses of type(4), (5) or (6), we guess which kind of clauses maybe the fat dots terminating the grey zones. As noticed in Goubault-Larrecq et al.(2004, Section 4.4), these fat dots are thecandidates. This is Goubault-Larrecqet al. (2004, Definition 2).

Definition 48 (Candidate, Oracle) A candidateis any Horn clause of the formB1(x1) ∨ . . . ∨ Bn(xn)[∨ + q], where thexis are pairwise distinct,Bi(xi) is anon-empty block for everyi, 1 ≤ i ≤ n, andq ∈ Q0.

A grey oracleis any functionO mapping every set of clauses of type(4), (5), or (6),to a set of candidates containing all those deducible by greyresolution.Grey reso-lution is ordered resolution with selection, where at least one premise is of type(6).

Conversely, callwhite resolutionthe rule of ordered resolution with selection ap-plied to premises of type(4) or (5) only.

The following is Goubault-Larrecq et al. (2004, Corollary 3), specialized to thecase whereΣ0 consists of all free function symbols, andΣ = {+}, and to theequational theory AC. (This corollary applies to any equational theoryE that issimple, i.e., such that there is a computable strict, stable ordering≻ closed undercontext applications and compatible withE, such thatf(x1, . . . , xn) ≻ xi for everyi, 1 ≤ i ≤ n, and every function symbolf . Clearly AC is a simple equationaltheory.)

Proposition 49 LetO be any grey oracle. Let≻AC be any computable strict, stableordering compatible withAC such thatf(x1, . . . , xn) ≻AC xi for everyi, 1 ≤ i ≤n, for every function symbolf . Let sel be the following selection function:

• If C is a Horn+-clause, possibly in disjunction with+q, q ∈ Q0, then:· If C contains a negative literal−P (t) with t not a variable, then letsel (C) be{−P (t)};

· Otherwise, ifC can be written asA ⇐ H, P1(x), . . . , Pm(x) wherex is freeneither inA nor in the body (i.e., conjunction of atoms)H andm ≥ 1 (in otherwords, if there is a variablex free on the right of⇐ but not on the left), thenlet sel (C) be{−P1(x), . . . ,−Pm(x)}.

· Otherwise,sel (C) is empty.• If C is a clause containing no+ function symbol, then:

· if C contains a negative literal−q with q ∈ Q, thensel (C) = {−q};· otherwise, letmax(C) be the set of maximal literals inC for ≻, then define

sel (C) as the subset of those negative literals inmax(C).

50

For simplicity, say “resolution” for “ordered resolution with selection with order-ing≻AC and selection functionsel ”.

Then white resolution together with thegrey oracle rule: to S addO(S), is completefor every set of clauses of type(4), (5), or (6). In other words, for every setS1 ofclauses of type(4), (5), or (6), if S1 is AC-unsatisfiable, then the empty clausecan be derived fromS1 by white resolution and the grey oracle rule. Moreover,completeness is retained when removing tautologies, forward subsumed clauses,andǫ-splitting of clauses not of type(6).

Proposition 49 requires quite many assumptions. An ordering ≻AC obeying theseassumptions always exists (Goubault-Larrecq et al., 2004,Section 4.4). To be fair,we shall never need to know the detailed definition of either≻AC or sel .

Additionally, we observe that white resolution alone terminates with this choice of≻AC andsel , while only generating clauses of type(4) or (5) (Goubault-Larrecqet al., 2004, Section 4.4).

Since there are only finitely many candidates, it follows that AC-satisfiability ofsets of clauses of type(4), (5), and(6) reduces to finding asound, computable greyoracleO.

Definition 50 A grey oracleO is soundif and only if, for every setS of clauses oftype (4), (5), and(6), O(S) is a set of candidates that are semantic consequencesmoduloAC of the clauses inS.

Theorem 51 (Main Theorem) If there is a sound computable grey oracle, thenAC-satisfiability of sets of clauses of type(4), (5), and(6) is decidable.

PROOF. If S1 is AC-unsatisfiable, by completeness (Proposition 49), we may de-rive the empty clause fromS1 by white resolution and the grey oracle rule. Con-versely, since both white resolution and the grey oracle rule only derive logicalconsequences ofS1 moduloAC, if we can derive the empty clause, thenS1 is AC-unsatisfiable. 2

Since any alternatingAC-tree automaton consists of clauses of this form,AC-unsatisfiability of such clause sets is undecidable, so there can be no sound com-putable grey oracle in general.

In the case of non-alternating automata, we can further restrict the clauses of type(4), (5), (6). This is formalized by the notion ofalternation-freeclauses (Defini-tion 52 below). We shall then relax soundness for oracles so that the oracleO isonly required to be sound on sets of alternation-free clauses. Then we shall show

51

that finding such a sound oracle is equivalent to solvingAC-satisfiability in theconstant-only case.

Definition 52 (Alternation-Free) A term t is linear if and only if every variableoccurs at most once int. An atom is linear if and only if it is of the formq, q ∈ Q,or P (t) with t a linear term. We also consider that the symbol⊥ is linear.

A Horn clauseA ⇐ A1, . . . , An is alternation-freeif and only ifA, A1, . . . ,An arelinear, and every variable free inA occurs at most once inA1, . . . , An.

Note that pop clauses (6),ǫ-clauses (7), push clauses (9) (whether standard or con-ditional) are alternation-free. Query clauses (see Lemma 2) and even final intersec-tion clauses (Lemma 3) are also alternation-free. On the other hand, intersectionclauses (8) are not, and the only general push clauses (11) that are alternation-freeare in fact just push clauses.

The point is that resolving alternation-free clauses together only produces alternation-free clauses, under mild assumptions, as we see shortly. We need to observe thatunifiers have a special form:

Definition 53 (E, F -Linear) Let E andF be two sets of variables, andσ be anysubstitution. We say thatσ is E, F -linear if and only if:

(1) for every variablez, zσ is a linear term;(2) for every variablez, there is at most one variablex in E such thatz is free in

xσ, and at most one variabley in F such thatz is free inyσ.

We observe that elements of complete sets of unifiers modulo AC, as used in res-olution between alternation-free clauses, which unifys

.= t, areE, F -linear, for

some well-chosen disjoint setsE andF , in the cases that we are interested in. Thisis the topic of Lemma 54 and Lemma 55 below.

Lemma 54 Let s andt be any two linear terms, where only free function symbolsoccur, and with disjoint sets of free variables. LetE andF be two disjoint sets ofvariables containing the free variables ofs, resp.t.

If s and t are unifiable, then they have a most general unifierσ, which isE, F -linear. Moreover, ifz is any variable inE ∪F that is not free ins or t, thenz is notin dom σ and not free inz′σ for anyz′ ∈ dom σ.

PROOF. Computeσ using the algorithm by Martelli and Montanari (1982). Thiscan be described by the following rewrite rules on finite multisets of equationsbetween terms; we letM be any such multiset, and comma denote multiset union:

(Delete) M, u.= u → M

52

(Decomp) M, f(u1, . . . , un).= f(v1, . . . , vn) → M, u1

.= v1, . . . , un

.= vn

(Bind) M, x.= v → M [x := v], x

.= v providedx is not free inv, but is free in

M .

We consider that equationsu .= v are unordered pairs of termsu, v, so that in

particularu .= v andv

.= u are the same equation. Ifs andt are unifiable, then

this rewrite process terminates, starting froms .= t, on a so-called solved form

z1.= u1, . . . , zk

.= uk; thenσ = [z1 := u1, . . . , zk := uk] is an mgu ofs .

= t.

We claim that wheneverM → M ′, andM is linear, in the sense that every variableoccurs at most once inM , thenM ′ is linear, too. This is clear for (Delete) and(Decomp), and (Bind) just does not apply. Since the initial multisets .

= t is linear,M0 = z1

.= u1, . . . , zk

.= uk is linear, too. Item 1 of Definition 53 is then clear.

Let us say that an equationu .= v is split if and only if all the free variables ofu

are inE, and all the free variables ofv are inF , or conversely. Let us say that amultiset of equations is split if and only if all its equations are split. We now claimthat wheneverM → M ′ andM is split and linear, thenM ′ is split. This is clear for(Delete) and (Decomp), and (Bind) does not apply on linear multisets.

Let z be any variable. SinceM0 is linear, there is at most onei, 1 ≤ i ≤ k,such thatz is free inui. So there is at most onei such thatz is free in ziσ. Ifitem 2 were wrong, then there would be two variablesx andx’, both in E (or,symmetrically, both inF ) such thatz is free inxσ and inx′σ. Not bothx andx′

can be in{z1, . . . , zk} by the previous remark. Not bothx andx′ can be outside{z1, . . . , zk}, otherwisez would be free inxσ = x and inx′σ = x′, entailing thatz = x = x′. So one of them, sayx, is somezi, 1 ≤ i ≤ k, and the other,x′, liesoutside{z1, . . . , zk}. Thereforez is free inziσ, andz is free inx′σ = x′. Sincezis free inziσ = xσ, z is in F , using the fact thatM0 is split; sincez is free inx′,z = x′ and is therefore inE. This is a contradiction, since no variable is both inEand inF . So item 2 holds.

The final claim is clear, since it is an invariant that all variables occurring in anymultisetM obtained froms

.= t are free ins or t. 2

We then study the structure of complete sets of unifiers modulo AC.

Lemma 55 A bisimulationR between two setsA and B is any subset ofA × Bsuch that, for everyx ∈ A, there is somey ∈ B such that(x, y) ∈ R, and for everyy ∈ B, there is somex ∈ A such that(x, y) ∈ R.

Write∑p

k=1 ui for u1 + . . . + up.

Let s =∑m

i=1 xi andt =∑n

j=1 yj be two linear sums of variables, and assume noxi equals anyyj. LetE andF be any two disjoint sets of variables containing the

53

free variables ofs, resp.t. Let zij , 1 ≤ i ≤ m, 1 ≤ j ≤ n bemn fresh variables,that is, outsideE ∪ F .

For any bisimulationR between{1, . . . , m} and{1, . . . , n}, letσR be the substitu-tion such that

xiσR =∑

j/(i,j)∈R

zij (1 ≤ i ≤ m)

yjσR =∑

i/(i,j)∈R

zij (1 ≤ j ≤ n)

Then the set of all substitutionsσR, whenR ranges over all bisimulations between{1, . . . , m} and{1, . . . , n}, is a complete set of unifiers ofs

.= t modulo AC.

Furthermore, for every bisimulationR, σR is E, F -linear, and ifz is any variablein E ∪ F that is not free ins or t, thenz is not indom σR and not free inz′σR foranyz′ ∈ dom σR.

PROOF. First,σR is well-defined because, sinceR is a bisimulation, every right-hand side of the defining equations is a non-empty sum. Second, it is clear thatsσR =

∑i,j/(i,j)∈R zij = tσR, soσR is a unifier ofs .

= t modulo AC.

Conversely, assumeσ is any unifier ofs .= t modulo AC. Writesσ ≈AC tσ as a

sum∑N

k=1 uk, where the termsuk are not sums. Since this sum equals∑m

i=1 xiσmodulo AC, there is a surjective mapf : {1, . . . , N} → {1, . . . , m} such thatxiσ =

∑k∈f−1(i) uk for every i, 1 ≤ i ≤ m. Similarly there is a surjective map

g : {1, . . . , N} → {1, . . . , n} such thatyjσ =∑

k∈g−1(j) uk, 1 ≤ j ≤ n. Let R bethe relation defined by(i, j) ∈ R if and only if f−1(i) ∩ g−1(j) 6= ∅, and letθ bethe substitution mappingzij to

∑k∈f−1(i)∩g−1(j) uk. Sincef andg are surjective,R

is a bisimulation. Thenσ = σRθ, proving that the set of allσR, R a bisimulation, isa complete set of unifiers moduloAC.

To show thatσR is E, F -linear, note that item 1 is clear. For item 2, letz be anyvariable. Ifz is not one of the variableszij , thenz occurs free inz′σ if and only ifz′ = z, andz is not one of the variablesxi or yj. Otherwise, letz = zij , then theonly variablex free ins such thatz is free inxσ is xi, and the only variabley freein t such thatz is free inyσ is yj, proving item 2.

The final claim is clear, in particular from the fact that the variableszij were chosenoutsideE ∪ F . 2

Another construction would have been to use the classical Stickel-Fages AC unifi-cation algorithm (Stickel, 1981; Fages, 1984), and reason about Diophantine equa-tions with coefficients in{0, 1}.

54

Proposition 56 Any resolvent between two alternation-free Horn clauses oftheform (4), (5), or (6) is again alternation-free, and Horn, and a disjunction of vari-able disjoint clauses of the form(4), (5), or (6).

PROOF. That the resolvent must be Horn is clear. That it is again a disjunction ofvariable disjoint clauses of the form(4), (5), or (6) is by Proposition 1 of Goubault-Larrecq et al. (2004), the stepping stone in proving Proposition 49.

Let us show that it must be alternation-free. To fix notations, letC∨+A and−A′∨C ′ be the premises, andσ ∈ csuAC(A

.= A′). The conclusion is(C ∨ C ′)σ. Let E

be the set of free variables ofC ∨+A, F be that of−A′∨C ′. Recall that resolutionapplies to clauses that have been renamed first so as not to have any free variablein common, soE andF are disjoint. Observe also that the domaindom σ of σcontains only variables that are free ins or t.

If A = A′ = q ∈ Q, thenσ is the identity. WriteC ′ asB ⇐ B1, . . . , Bn. Thenevery variable free inB occurs at most once inB1, . . . , Bn, hence inC ∨ C ′ =+B∨−B1 ∨ . . .∨−Bn ∨C, sinceC andC ′ share no variable. Moreover, all atomsof C ∨ C ′ are clearly linear, soC ∨ C ′ is alternation-free.

If A = P (s), A′ = P (t), wheres andt share no free variable, and are linear termsby assumption, then either the only function symbols occurring in s andt are free,soσ is E, F -linear by Lemma 54; or the only function symbol occurring ins andtis +, soσ is E, F -linear by Lemma 55. There is no other case, because non-trivial+-sums do not unify with terms of the formf(. . .) with f free.

By Lemma 54 and Lemma 55 again,σ also satisfies:(∗) if z is any variable inE ∪ F that is not free ins or t, thenz is not indom σ and not free inz′σ for anyz′ ∈ dom σ.

Sinceσ is E, F -linear,xσ is linear for every variablex free inC ∨ +A, and eitherxσ = x or the only free variables inxσ are variables inF , hence not inE. Forevery atom of the formP ′(s′) in C ∨ +A, it is easy to see thats′σ is thereforelinear. Similarly, for every atomP ′(t′) in −A′ ∨ C ′, t′σ is linear.

Now writeC ′ asB ⇐ B1, . . . , Bn, and letz be some free variable ofBσ. Sincez isfree inBσ, z is free in some termy0σ, for some free variabley0 in B, in particular,for somey0 ∈ F . Sinceσ is E, F -linear, there is exactly one variabley0 in F suchthatz is free iny0σ; andy0 is free inB.

Assume by contradiction thatz occurs at least twice in(−B1 ∨ . . . ∨ −Bn ∨ C)σ.If z occurs at all inCσ, there is a variablex free inC, hence inE, such thatz isfree inxσ; sinceσ is E, F -linear, by item 2, such a variablex is unique if it exists.Similarly, if z occurs at all in(−B1 ∨ . . . ∨−Bn)σ, then there is a unique variable

55

y in F such thatz is free inyσ. We then have three cases:

• Case 1:z occurs twice inCσ, sox exists, andx occurs twice inC. Sox does notoccur in+A = +P (s), sinceC is alternation-free. Sincedom σ only containsvariables that are free ins or t by (∗), x cannot be indom σ. Sincez is free inxσ, z equalsx. Sincex is in E ∪ F but is not free ins or t, by (∗) again,x isnot free iny0σ if y0 ∈ dom σ. So eithery0 6∈ dom σ, soy0σ = y0; asz = x isfree iny0σ, this entailsx = y0, contradicting the fact thatx ∈ E, y0 ∈ F andE ∩ F = ∅. Or y0 ∈ dom Σ, sox is not free iny0σ; sincez = x, z is not free iny0σ, a contradiction again.

• Case 2:z occurs twice in(−B1 ∨ . . .∨−Bn)σ, soy exists, andy occurs twice in−B1 ∨ . . . ∨−Bn. SinceC ′ = B ⇐ B1, . . . , Bn is alternation-free,y is not freein B. Recall thaty0 is in F andz is free iny0σ, and thaty is the unique variablein F such thatz is free inyσ; soy = y0. But y is not free inB, whereasy0 is,contradiction.

• Case 3:z occurs once inCσ and once in(−B1 ∨ . . . ∨ −Bn)σ, sox andy bothexist,x occurs once inC, andy occurs once in−B1 ∨ . . .∨−Bn. Sincez is freeboth in yσ and iny0σ, andy, y0 ∈ F , by unicity y = y0 (as in Case 2). Sincey0 occurs free in+B, y occurs free in+B, and also in−B1 ∨ . . . ∨ −Bn. If yalso occurred free int, then it would occur twice in−P (t) ∨ −B1 ∨ . . . ∨−Bn,contradicting the fact that−A′ ∨ C ′ = +B ∨ −P (t) ∨ −B1 ∨ . . . ∨ −Bn isalternation-free. Soy is not free int.

We now use an argument similar to Case 1. Sincedom σ only contains vari-ables that are free ins or t by (∗), y cannot be indom σ. Sincez is free inyσ, zequalsy. Sincey is in E ∪ F but is not free ins or t, by (∗) again,y is not freein xσ if x ∈ dom σ. So eitherx 6∈ dom σ, soxσ = x; asz = y is free inxσ,this entailsy = x, contradicting the fact thaty ∈ F , x ∈ E, andE ∩ F = ∅. Orx ∈ dom σ, soy is not free inxσ; sincez = y, z is not free inxσ, a contradictionagain.

As all cases lead to a contradiction,z occurs at most once in(−B1 ∨ . . . ∨ −Bn ∨C)σ = (C ∨ C ′)σ. So the resolvent(C ∨ C ′)σ is alternation-free. 2

We can now refine Proposition 49. Nothing changes except thatwe have sprinkledthe word “alternation-free” throughout, and replaced the setQ0 of namespB(x)qof ǫ-blocks by the subsetQ1 generated by alternation-freePǫ-blocks.

Definition 57 (Candidate, Oracle) Analternation-free candidateis any alternation-free Horn clause of the formB1(x1)∨. . .∨Bn(xn)[∨+q], where thexis are pairwisedistinct,Bi(xi) is a non-empty block for everyi, 1 ≤ i ≤ n, andq ∈ Q1.

An alternation-free grey oracleis any functionO mapping every set of alternation-free clauses of type(4), (5), or (6), to a set of alternation-free candidates containingall those deducible by grey resolution.

56

Proposition 58 LetO be any alternation-free grey oracle. Let≻AC andsel be asin Proposition 49.

Then white resolution together with the grey oracle rule is complete for every set ofalternation-free clauses of type(4), (5), or (6). In other words, for every setS1 ofalternation-free clauses of type(4), (5), or (6), if S1 is AC-unsatisfiable, then theempty clause can be derived fromS1 by white resolution and the grey oracle rule.Moreover, completeness is retained when removing tautologies, forward subsumedclauses, andǫ-splitting of clauses not of type(6).

Notice that we can always restrict alternation-free grey oracles to only output alternation-free clauses. Indeed, we only required that grey oracles output at least all theclauses deducible by grey resolution, but grey resolution only derives alternation-free clauses, starting from alternation-free clauses of type(4), (5), (6), by Proposi-tion 56. The following notion of a.f.-soundness weakens soundness by requiringOto be sound only on sets of alternation-free clauses.

Definition 59 An alternation-free grey oracleO is a.f.-soundif and only if, forevery setS of alternation-free clauses of type(4), (5), and (6), O(S) is a setof alternation-free candidates that are semantic consequences moduloAC of theclauses inS.

Theorem 60 (Main Theorem, Alternation-Free Case)If there is an a.f.-sound com-putable alternation-free grey oracle, thenAC-satisfiability of sets of alternation-free clauses of type(4), (5), and(6) is decidable.

Now the existence of an a.f.-sound, computable alternation-free grey oracle is equiv-alent to solving the constant-only case:

Proposition 61 There is an a.f.-sound computable alternation-free grey oracle ifand only if theAC-satisfiability of sets of alternation-freeAC0-clauses of the form(4), (5), (6) is decidable.

PROOF. For any setS of clauses of the above type, letS4,6 be the subset of theclauses of the form(4) or (6). To find a grey oracle, we only need it to find at leastall consequences by grey resolution ofS4,6, not of S. This is because clauses oftype(5) never resolve with clauses of type(6), and clauses(4) and(6) only resolveto produce again clauses of type(4) or (6), as noticed in Goubault-Larrecq et al.(2004, Proposition 1).

Assume that the constant-only case is decidable. Then defineO as enumeratingall alternation-free candidatesC (which are finitely many), and returning thosesuch thatS4,6 |=AC C. We have already remarked (in justifying that condition 3of the definition of⊲ was decidable, in Section 7.5) that this could be decided byskolemizingC, and using the decidability of the constant-only case. (AlthoughC is

57

now slightly more general than in Section 7.5, the same argument applies.) ClearlyO is a.f.-sound, computable, and is an alternation-free greyoracle.

Conversely, if there is an a.f.-sound computable alternation-free grey oracle, thenby Theorem 60 every set of alternation-free clauses of type(4), (5), and (6) isdecidable, in particular any subset ofAC0-clauses. 2

>From (slight and easy variants of) the latter results, it follows again that intersection-emptiness of AC-standard two-way AC-tree automata is decidable, thus providinganother proof of Corollary 45. This is because, by Corollary27, the constant-onlycase of AC-standard two-way AC-tree automata is decidable,hence there is a com-putable grey oracle that is sound for the particular sets of+-clauses needed tohandle AC-standard two-way AC-tree automata.

More generally, we obtain the following result. This shows that, to settle downthe decidability status of intersection-emptiness for two-way AC-tree automata, theonly difficulty resides in the constant-only case. As discussed in the conclusion ofVerma and Goubault-Larrecq (2005), this may be extraordinarily difficult to dealwith, since it includes generalizations of the Petri net reachability problem as (very)particular subproblems.

Proposition 62 Let + be a fixed associative commutative symbol. Assume that itis decidable whether any given finite set of alternation-free Horn clauses that areeitherǫ-blocks, free complex clauses on a fixed signature consisting only of constantsymbols, or+-clauses, is AC-satisfiable (the so-calledconstant-only case). ThenAC-satisfiability of finite sets of alternation-free Horn clauses that are eitherǫ-blocks, free complex clauses, or+-clauses, is decidable.

Similar reasoning establishes the following similar theorem.

Proposition 63 Let + be a fixed associative commutative symbol. Assume that itis decidable whether any given finite set of alternation-free Horn clauses that areeither ǫ-blocks, free complex clauses on a fixed signature consisting only of con-stant symbols, or+-pop and+-push clauses, is AC-satisfiable. Then intersection-emptiness of two-way AC-tree automata is decidable.

9 Conclusion

We have classified alternating two-way AC-tree automata according to the decid-ability of the intersection-emptiness question. Essentially, alternation, general pushclauses, and equality constraints between brothers lead toundecidability. On theother hand we were able to give a decision algorithm for two-way AC-tree au-

58

tomata (without alternation), with the restriction that the push clauses on equationalsymbols must be standard.

The case when conditional+-push clauses are included in two-way AC-tree au-tomata is open. Nonetheless we have shown that this reduced to the constant-onlycase. While this may seem to be a considerable simplification, we have noticedthat already intersection-emptiness for the subcase of Petri two-way AC0-automataincluded the question of BVASS reachability, which includes that of Petri net reach-ability. The latter is decidable, but it is not clear at the moment either how to trans-late Petri two-way AC0-automata or how to extend the Mayr-Kosaraju algorithm toBVASS, hence to Petri two-way AC0-automata. However, once this is done, a suit-able variant of Proposition 63 should be usable to conclude that a suitable restrictionof two-way AC-tree automata (which would naturally be called Petri two-way AC-tree automata) has a decidable intersection-emptiness problem. We conjecture thatintersection-emptiness is also decidable for the general case of two-way AC-treeautomata, but this is even harder.

Figure 4 sums up our main results.

References

Bachmair, L. and Ganzinger, H. (2001). Resolution theorem proving. In Robinsonand Voronkov (2001), chapter 2, pages 19–99.

Bogaert, B. and Tison, S. (1992). Equality and disequality constraints on directsubterms in tree automata. InProc. 9th Annual Symposium on Theoretical As-pects of Computer Science (STACS’92), pages 161–172. Springer-Verlag LNCS577.

Boneva, I. and Talbot, J.-M. (2005). Automata and logics forunranked and un-ordered trees. InRTA’05, pages 500–515. Springer-Verlag LNCS 3467.

Bouhoula, A. and Jouannaud, J.-P. (1997). Automata-drivenautomated induction.In LICS-12 (1997), pages 14–25.

Chang, C.-L. and Lee, R. C.-T. (1973).Symbolic Logic and Mechanical TheoremProving. Computer Science Classics. Academic Press.

Charatonik, W. and Podelski, A. (1998). Set-based analysisof reactive infinite-state systems. In Steffen, B., editor,Proc. 1st Intl. Conference on Tools and Al-gorithms for the Construction and Analysis of Systems (TACAS’98), pages 358–375. Springer-Verlag LNCS 1384.

Comon, H., Cortier, V., and Mitchell, J. (2001). Tree automata with one memory,set constraints and ping-pong protocols. InProc. 28th Intl. Colloquium on Au-tomata, Languages, and Programming (ICALP’2001), pages 682–693. Springer-Verlag LNCS 2076.

Comon, H., Dauchet, M., Gilleron, R., Jacquemard, F., Lugiez, D., Tison, S.,and Tommasi, M. (1997). Tree automata techniques and applications. www.grappa.univ-lille3.fr/tata/.

59

One-way AC [∗ †]Definition 4

⊂

oooooo

wwoooo

ooo ⊂SSSSSS

))SSSSSS

Alternating AC [¬†]Definition 5

⊂

��

Standard two-way AC [∗ †]Definition 7

⊂

��

AC-standard two-way AC [∗ †]Definition 9

⊂

��

Petri two-way AC [†?]Footnote to Corollary 27

⊂

��

Two-way AC [†?]Definition 6

⊂

��

⊂

mmmmmmmmm

vvmmmmmm

Alternatingtwo-way AC [¬†]

Definition 6

⊂

77

77

77

77

77

7

��7

77

77

77

77

77

77

≈General

two-way AC [¬†]Proposition 15

⊂

��

Alternation-Free(4), (5), (6) [†?]Definitions 47, 52

⊂

rrrrrrrrrrr

xxrrrrrrrrrrr

(4), (5), (6) [¬†]Definition 47

∗: closed under union, intersection.†: intersection-emptiness decidable.

†?: intersection-emptiness decidable if so in the constant-only case.¬†: intersection-emptiness undecidable.

Fig. 4. Results on the AC-tree automata considered in this paper

Comon, H. and Jacquemard, F. (1997). Ground reducibility isEXPTIME-complete.In LICS-12 (1997), pages 26–34.

Courcelle, B. (1989). On recognizable sets and tree automata. In Nivat, M. andAït-Kaci, H., editors,Resolution of Equations in Algebraic Structures. AcademicPress.

Davis, M. D. and Weyuker, E. J. (1985).Computability, Complexity and Lan-guages. Academic Press, New York.

de Groote, P., Guillaume, B., and Salvati, S. (2004). Vectoraddition tree automata.

60

In Proc. 19th Annual IEEE Symposium on Logics in Computer Science. IEEEComputer Society Press. To appear.

Diffie, W. and Hellman, M. (1976). New directions in cryptography. IEEE Trans-actions on Information Theory, IT-22(6):644–654.

Dowling, W. F. and Gallier, J. H. (1984). Linear-time algorithms for testing thesatisfiability of propositional Horn formulae.Journal of Logic Programming,1(3):267–84.

Emerson, E. A. and Jutla, C. S. (1988). The complexity of treeautomata and logicsof programs (extended abstract). InProc. 29th Symposium on Foundations ofComputer Science (FOCS’88), pages 328–337.

Fages, F. (1984). Associative-commutative unification. In7th Intl. Conference onAutomated Deduction, pages 194–208. Springer Verlag LNCS 170.

Finkel, A. and Schnoebelen, P. (2001). Well-structured transition systems every-where!Theoretical Computer Science, 256(1–2):63–92.

Frühwirth, T., Shapiro, E., Vardi, M. Y., and Yardeni, E. (1991). Logic programsas types for logic programs. InProc. 6th Annual IEEE Symposium on Logic inComputer Science (LICS’91), pages 300–309. IEEE Computer Society Press.

Gécseg, F. and Steinby, M. (1997). Tree languages. In Rozenberg, G. and Salomaa,A., editors,Handbook of Formal Languages, volume 3, pages 1–68. SpringerVerlag.

Genet, T. (1998). Decidable approximations of sets of descendants and sets of nor-mal forms. In Nipkow, T., editor,Proc. of the 9th Intl. Conference on RewritingTechniques and Applications (RTA’98), pages 151–165. Springer Verlag LNCS1379.

Genet, T. and Klay, F. (2000). Rewriting for cryptographic protocol verification.In 17th Intl. Conference on Automated Deduction (CADE-17), pages 271–290.Springer Verlag LNCS 1831.

Ginsburg, S. and Spanier, E. H. (1966). Semigroups, Presburger formulas and lan-guages.Pacific Journal of Mathematics, 16(2):285–296.

Goré, R., Leitsch, A., and Nipkow, T., editors (2001).1st Intl. Joint Conference onAutomated Reasoning (IJCAR’01), Siena, Italy. Springer Verlag LNAI 2083.

Goubault-Larrecq, J. (2000). A method for automatic cryptographic protocol ver-ification. In Formal Methods in Parallel Programming Theory and Applica-tions (FMPPTA’2000), 15th IPDPS Workshops, pages 977–984. Springer-VerlagLNCS 1800.

Goubault-Larrecq, J. (2002). Higher-order positive set constraints. In Bradfield,J., editor,15th Annual Conf. of the European Association for Computer ScienceLogic (CSL’02), pages 473–489. Springer Verlag LNCS 2471.

Goubault-Larrecq, J. (2003). Résolution ordonnée avec sélection et classes dé-cidables de la logique du premier ordre. Lecture notes for the course “démon-stration automatique et vérification de protocoles cryptographiques” (with Hu-bert Comon-Lundh), DEA “programmation”. 70 pages,http://www.lsv.ens-cachan.fr/~goubault/SOresol.ps. In French.

Goubault-Larrecq, J., Roger, M., and Verma, K. N. (2004). Abstraction and res-olution modulo AC: How to verify Diffie-Hellman-like protocols automatically.

61

Journal of Logic and Algebraic Programming. To appear. Available as LSVResearch Report LSV-04-7, Mar. 2004,http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/rr-lsv-2004-7.rr.ps.

Goubault-Larrecq, J. and Verma, K. N. (2002). Alternating two-way AC-tree automata. Research Report LSV-02-11, LSV, ENS de Cachan.Available athttp://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/rr-lsv-2002-11.rr.ps.

Hopcroft, J. and Pansiot, J. J. (1979). On the reachability problem for 5-dimensional vector addition systems.Theoretical Computer Science, 8:135–159.

Ibarra, O. H., Su, J., Dang, Z., Bultan, T., and Kemmerer, R. A. (2001). Countermachines and verification problems.Theoretical Computer Science. To appear.

Jouannaud, J.-P. (1995). Rewrite proofs and computations.In Schwichtenberg, H.,editor,Proof and Computation, volume 139 ofNATO series F: Computer andSystems Sciences, pages 173–218. Springer Verlag.

Kaji, Y., Fujiwara, T., and Kasami, T. (1997). Solving a unification problem underconstrained substitutions using tree automata.Journal of Symbolic Computation,23(1):79–117.

Karp, R. M. and Miller, R. E. (1969). Parallel program schemata. Journal ofComputer and System Sciences, 3(2):147–195.

Kosaraju, S. R. (1982). Decidability of reachability in vector addition systems. InProc. 14th Annual ACM Symposium on the Theory of Computing (STOC’82),pages 267–281.

Lambert, J.-L. (1992). A structure to decide reachability in Petri nets.TheoreticalComputer Science, 99(1):79–104.

Li, P. (1988). Pattern matching in trees. Master’s Thesis CS-88-23, University ofWaterloo.

LICS-12 (1997).Proc. 12th Annual IEEE Symposium on Logic in Computer Sci-ence (LICS’97). IEEE Computer Society Press.

Lipton, R. (1976). The reachability problem requires exponential space. TechnicalReport 62, Dept. Computer Science, Yale University.

Lugiez, D. (1998). A good class of tree automata. Application to inductive theoremproving. InProc. 25th Intl. Colloquium on Automata, Languages, and Program-ming (ICALP’98), pages 409–420. Springer-Verlag LNCS 1443.

Lugiez, D. (2003). Counting and equality constraints for multitree automata. InProc. 6th Conference on Foundations of Software Science andComputationStructures (FoSSaCS’03), European Joint Conferences on Theory and Practiceof Software (ETAPS’03), Springer-Verlag LNCS 2620, pages 328–342.

Lugiez, D. and Moysset, J. L. (1994). Tree automata help one to solve equationalformulae in AC-theories.Journal of Symbolic Computation, 18(4):297–318.

Martelli, A. and Montanari, U. (1982). An efficient unification algorithm. ACMTransactions on Programming Languages and Systems, 4(2):258–282.

Mayr, E. W. (1984). An algorithm for the general Petri net reachability problem.SIAM Journal of Computing, 13:441–460.

Mayr, R. and Rusinowitch, M. (1998). Reachability is decidable for ground ACrewrite systems. InProceedings of the 3rd Intl. Workshop on Verification of

62

Infinite State Systems (INFINITY’98), pages 53–64, Aalborg, Denmark. Tech-nical Report TUM-I9825, Technische Universität München.http://www.informatik.uni-freiburg.de/~mayrri/ac.ps.

Minsky, M. L. (1961). Recursive unsolvability of Post’s problem of “tag” and othertopics in the theory of Turing machines.Annals of Mathematics, Second Series,74(3):437–455.

Monniaux, D. (1999). Abstracting cryptographic protocolswith tree automata. InProc. 6th Intl. Static Analysis Symposium (SAS’99), pages 149–163. Springer-Verlag LNCS 1694.

Niehren, J. and Podelski, A. (1993). Feature automata and recognizable sets offeature trees. InProc. 4th Intl. Conference on Theory and Practice of SoftwareDevelopment (TAPSOFT’93), pages 356–375. Springer-Verlag LNCS 668.

Ohsaki, H. (2001). Beyond regularity: Equational tree automata for associativeand commutative theories. In14th Annual Conf. of the European Associationfor Computer Science Logic (CSL’01), pages 539–553. Springer-Verlag LNCS2142.

Ohsaki, H. and Takai, T. (2002). Decidability and closure properties of equa-tional tree languages. In Tison, S., editor,Proceedings of the 13th Conferenceon Rewriting Techniques and Applications (RTA’02), pages 114–128. Springer-Verlag LNCS 2378.

Okhotin, A. (2001). Conjunctive grammars.Journal of Automata, Languages andCombinatorics, 6(4):519–535.

Parikh, R. J. (1966). On context-free languages.Journal of the Association forComputing Machinery, 13(4):570–581.

Peltier, N. (1997). Tree automata and automated model building. FundamentaInformaticae, 30(1):59–81.

Plotkin, G. (1972). Building in equational theories.Machine Intelligence, 7:73–90.Reutenauer, C. (1993).Aspects Mathématiques des Réseaux de Petri. Masson.Riazanov, A. and Voronkov, A. (2001). Vampire 1.1 (system description). In Goré

et al. (2001), pages 376–380.Robinson, J. A. and Voronkov, A., editors (2001).Handbook of Automated Rea-

soning. North-Holland.Roger, M. (2003).Raffinements de la résolution et vérification de protocoles cryp-

tographiques. PhD thesis, ENS de Cachan. In French.Sacerdote, G. S. and Tenney, R. L. (1977). The decidability of the reachability

problem for vector addition systems. InProc. 9th Annual ACM Symposium onthe Theory of Computing (STOC’77), pages 61–76.

Schimpf, K. M. and Gallier, J. H. (1985). Tree pushdown automata. Journal ofComputer and System Sciences, 30(1):25–40.

Seidl, H. (1994). Haskell overloading is DEXPTIME-complete. Information Pro-cessing Letters, 52(2):57–60.

Seidl, H., Schwentick, T., and Muscholl, A. (2003). Numerical document queries.In 22nd ACM Symposium on Principles of Database Systems (PODS’03), pages155–166, San Diego, CA, USA.

Shepherdson, J. C. (1959). The reduction of two-way automata to one-way au-

63

tomata.IBM Journal of Research and Development, 3:199–201.Slutzki, G. (1985). Alternating tree automata.Theoretical Computer Science,

41:305–318.Stickel, M. (1981). A unification algorithm for associative-commutative functions.

Journal of the Association for Computing Machinery, 28(3):423–434.Thomas, W. (1990). Automata on infinite objects. In van Leeuwen, J., editor,

Handbook of Theoretical Computer Science, chapter 4, pages 133–191. ElsevierScience.

Verma, K. N. (2003a).Automates d’arbres bidirectionnels modulo théories équa-tionnelles. PhD thesis, ENS de Cachan. In English, with French abstracts.

Verma, K. N. (2003b). On closure under complementation of equational tree au-tomata for theories extending AC. InProc. 10th Intl. Conference on Logic forProgramming, Artificial Intelligence, and Reasoning (LPAR’2003), pages 183–195. Springer-Verlag LNAI 2850.

Verma, K. N. (2003c). Two-way equational tree automata for AC-like theories:Decidability and closure properties. InProceedings of the 14th Conference onRewriting Techniques and Applications (RTA’2003), pages 180–196. Springer-Verlag LNCS 2706.

Verma, K. N. (2004). Alternation in equational tree automata modulo XOR. In24thConference on Foundations of Software Technology and Theoretical ComputerScience (FSTTCS’04), volume 3328 ofLNCS, Chennai, India. Springer-Verlag.

Verma, K. N. and Goubault-Larrecq, J. (2005). Karp-Miller trees for a branchingextension of VASS.Discrete Mathematics and Theoretical Computer Science,7(1):217–230.

Verma, K. N., Seidl, H., and Schwentick, T. (2005). On the complexity of equa-tional Horn clauses. In Nieuwenhuis, R., editor,20th International Conferenceon Automated Deduction (CADE’05), volume 3632 ofLNCS, pages 337–352,Tallinn, Estonia. Springer-Verlag.

Voronkov, A. (2001). Algorithms, datastructures, and other issues in efficient auto-mated deduction. In Goré et al. (2001), pages 13–28.

Weidenbach, C. (2001). Combining superposition, sorts andsplitting. In Robinsonand Voronkov (2001), chapter 27, pages 1965–2013.

A Deciding Emptiness of Standard Two-Way AC0-Automata

The following proposition states in particular that emptiness is decidable for stan-dard two-way AC0-automata. This is a particular case of Corollary 27, which im-plies in particular that intersection-emptiness of standard two-way AC0-automatais decidable. We include this proposition, as its proof is simpler, the decision algo-rithm is straightforward, and we obtain an explicit complexity bound.

Introduce the following notation:〈n〉, for anyn ≥ 1, denotes the sum ofn distinctvariables. The idea is that the only ground instances of〈n〉 are sums of at leastn

64

constantsai (not necessarily distinct).

Proposition 64 The AC-satisfiability of sets of free pop clauses, of clauses(14)–(17), and generalized query clauses

⊥ ⇐ P (〈n〉)

is decidable and in NP.

In particular, it is decidable in NP whether, given any standard two-way AC0-automatonA and a stateP , the languageLP (A) is empty.

PROOF. It suffices to show that input resolution, with eager linear subsumptionand splitting, terminates.

Input resolution only generates new negative clauses. We claim that, starting fromS0, the only negative clauses generated by input resolution with eager splitting aregeneralized query clauses.

• Resolving⊥ ⇐ P (〈n〉) with a free pop clauseP (f(x1, . . . , xm)) ⇐ P1(x1),. . . , Pm(xm) yields⊥ ⇐ P1(x1), . . . , Pm(xm) (providedn = 1), which splits asthem clauses⊥ ⇐ Pi(〈1〉), 1 ≤ i ≤ m.

• Resolving⊥ ⇐ P (〈n〉) with a +-pop clauseP (x + y) ⇐ P1(x), P2(y). Theintuition is that unifyingx + y with 〈n〉 means splitting〈n〉 (a sum of at leastn constants) in two sums; any unifier must then mapx to 〈n1〉 andy to 〈n2〉with n1 + n2 = n; resolution generates⊥ ⇐ P (〈n1〉), P (〈n2〉), which splits in⊥ ⇐ P (〈n1〉) and⊥ ⇐ P (〈n2〉).

Formally, use Lemma 55; writing〈n〉 asx1+. . .+xn, we get that the elementsof a complete set of AC-unifiers of〈n〉 andx + y are the substitutionsσR, whereR ranges over all bisimulations between{1, . . . , n} and{1, 2}. Observe thatσR

mapsx to∑

i/(i,1)∈R zij andy to∑

i/(i,2)∈R zij , where the variableszij are fresh,and

∑i,j zij ≈AC 〈n〉. Let nj be the number of indicesi such that(i, j) ∈ R,

j ∈ {1, 2}. In particularn1 + n2 = n.The resulting resolvent is⊥ ⇐ P1(

∑i/(i,1)∈R zij), P2(

∑i/(i,2)∈R zij). Since no

zij free in the first atom is free in the second one, this splits. The resulting clausesare then⊥ ⇐ P1(〈n1〉) and⊥ ⇐ P2(〈n2〉).

• Resolving⊥ ⇐ P (〈n〉) with a base clauseP (ai) only succeeds whenn = 1,and the resulting resolvent is the empty clause.

• Resolving⊥ ⇐ P (〈n〉) with anǫ-clauseP (x) ⇐ P1(x) yields⊥ ⇐ P1(〈n〉).• Resolving⊥ ⇐ P (〈n〉) with a standard+-push clauseP (x) ⇐ P1(x+y) yields

⊥ ⇐ P1(〈n + 1〉).

If any branch of the tableau obtained by input resolution, linear subsumption, andsplitting were infinite, then there would be infinitely many generalized query clauses

65

on this branch. By the pigeonhole principle, there would be apredicate symbolPand an infinite sequence of integersn1 < n2 < . . . such that all generalized queryclauses⊥ ⇐ P (ni) are on the branch. But⊥ ⇐ P (n1) subsumes them all linearly,so only finitely of them can have been generated and survived linear subsumption.

Let us evaluate the complexity of the process. Note that the size ofP (〈n〉) is linearin n (i.e., n is coded in unary, as a sum ofn distinct variables). Note that, byusing linear subsumption, for every predicate symbolP , there is at most one clause⊥ ⇐ P (〈n〉) in any branchS at any time. LetN(S) be the largest integern suchthat⊥ ⇐ P (〈n〉) is in S for some predicateP (0 if none), let

∑(S) be their sum,

k(S) be the number of predicatesP in S0 such that no clause⊥ ⇐ P (〈n〉) ispresent inS, andK the number of predicates inS0. Define the measureµ(S) ask(S)N(S)+(k(S)+1)(k(S)+2)/2+

∑(S), and note thatµ(S) is polynomial in the

size ofS. We can now check thatµ(S) always decreases from any branch to any ofits descendants; the idea is that

∑(S) decreases strictly when a new resolvent⊥ ⇐

P (〈n〉) is added and there was already some clause⊥ ⇐ P (〈n′〉), because thenew clause can be added only ifn < n′ and hence the older clause gets subsumed;while generating a new resolvent⊥ ⇐ P (〈n〉) when no clause⊥ ⇐ P (〈n′〉) ispresent (then necessarilyn ≤ N(S) + 1, the worst case being when we resolvewith a standard+-push clause) decreasesk(S) by one, increases

∑(S) by at most

N(S) + 1, and increasesN(S) by at most one. In other words, ifS ′ is any newbranch obtained this way fromS, k(S ′) = k(S) − 1,

∑(S ′) ≤

∑(S) + N(S) + 1,

andN(S ′) ≤ N(S) + 1. So

µ(S ′) = k(S ′)N(S ′) +(k(S ′) + 1)(k(S ′) + 2)

2+

∑(S ′)

≤ (k(S) − 1)(N(S) + 1) +k(S)(k(S) + 1)

2+

∑(S) + N(S) + 1

= k(S)N(S) − N(S) − 1 + k(S) +k(S)(k(S) + 1)

2+

∑(S) + N(S) + 1

= k(S)N(S) − N(S) − 2 +(k(S) + 1)(k(S) + 2)

2+

∑(S) + N(S) + 1

= µ(S) − 1 < µ(S)

Since generating resolvents until a new one is found takes time polynomial in thesize ofS, which is bounded by the number of non-negative clauses inS0 plus

∑(S),

and since we can only decreaseµ(S) polynomially many times, every branch iseventually saturated in polynomially many steps. Since AC-satisfiability ofS isequivalent to the existence of a saturated branch not containing the empty clause inthe tableau, the problem is in NP.2

We do not know whether the problem is in P, or NP-complete, or inbetween.

66

Date post:	14-May-2023
Category:	Documents
Upload:	independent
View:	0 times
Download:	0 times

Alternating two-way AC-tree automata

Documents